#
# Directory patterns (dir)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. directory type
#
#
# Regular file patterns (file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Symbolic link patterns (lnk_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# (Un)named Pipes/FIFO patterns (fifo_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# (Un)named sockets patterns (sock_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Block device node patterns (blk_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Character device node patterns (chr_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# File type_transition patterns
#
# pattern(domain,dirtype,newtype,class(es))
#
#
# unix domain socket patterns
#
########################################
#
# Macros for switching between source policy
# and loadable policy module support
#
##############################
#
# For adding the module statement
#
##############################
#
# For use in interfaces, to optionally insert a require block
#
# helper function, since m4 wont expand macros
# if a line is a comment (#):
##############################
#
# In the future interfaces should be in loadable modules
#
# template(name,rules)
#
##############################
#
# In the future interfaces should be in loadable modules
#
# interface(name,rules)
#
##############################
#
# Optional policy handling
#
##############################
#
# Determine if we should use the default
# tunable value as specified by the policy
# or if the override value should be used
#
##############################
#
# Extract booleans out of an expression.
# This needs to be reworked so expressions
# with parentheses can work.
##############################
#
# Tunable declaration
#
##############################
#
# Tunable policy handling
#
########################################
#
# Helper macros
#
#
# shiftn(num,list...)
#
# shift the list num times
#
#
# ifndef(expr,true_block,false_block)
#
# m4 does not have this.
#
#
# __endline__
#
# dummy macro to insert a newline. used for
# errprint, so the close parentheses can be
# indented correctly.
#
########################################
#
# refpolwarn(message)
#
# print a warning message
#
########################################
#
# refpolerr(message)
#
# print an error message. does not
# make anything fail.
#
########################################
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
########################################
#
# gen_context(context,mls_sensitivity,[mcs_categories])
#
########################################
#
# can_exec(domain,executable)
#
########################################
#
# gen_bool(name,default_value)
#
#
# Specified domain transition patterns
#
# compatibility:
#
# Automatic domain transition patterns
#
# compatibility:
#
# Other process permissions
#
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
########################################
#
# Basic level names for system low and high
#
########################################
#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
#
# All directory and file classes
#
#
# All non-directory file classes.
#
#
# Non-device file classes.
#
#
# Device file classes.
#
#
# All socket classes.
#
#
# Datagram socket classes.
#
#
# Stream socket classes.
#
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
########################################
#
# Macros for sets of permissions
#
#
# Permissions for getting file attributes.
#
#
# Permissions for executing files.
#
#
# Permissions for reading files and their attributes.
#
#
# Permissions for reading and executing files.
#
#
# Permissions for reading and appending to files.
#
#
# Permissions for linking, unlinking and renaming files.
#
#
# Permissions for creating lnk_files.
#
#
# Permissions for creating and using files.
#
#
# Permissions for reading directories and their attributes.
#
#
# Permissions for reading and writing directories and their attributes.
#
#
# Permissions for reading and adding names to directories.
#
#
# Permissions for creating and using directories.
#
#
# Permissions to mount and unmount file systems.
#
#
# Permissions for using sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for using stream sockets.
#
#
# Permissions for creating and using stream sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for creating and using netlink sockets.
#
#
# Permissions for using netlink sockets for operations that modify state.
#
#
# Permissions for using netlink sockets for operations that observe state.
#
#
# Permissions for sending all signals.
#
#
# Permissions for sending and receiving network packets.
#
#
# Permissions for using System V IPC
#
########################################
#
# New permission sets
#
#
# Directory
#
#
# File
#
#
# Use (read and write) terminals
#
#
# Sockets
#
########################################
#
# New permission sets
#
#
# Directory (dir)
#
#
# Regular file (file)
#
#
# Symbolic link (lnk_file)
#
#
# (Un)named Pipes/FIFOs (fifo_file)
#
#
# (Un)named Sockets (sock_file)
#
#
# Block device nodes (blk_file)
#
#
# Character device nodes (chr_file)
#
########################################
#
# Special permission sets
#
#
# Use (read and write) terminals
#
#
# Sockets
#
## Berkeley process accounting
########################################
##
## Transition to the accounting management domain.
##
##
##
## Domain allowed access.
##
##
#
define(`acct_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `acct_domtrans'($*)) dnl
gen_require(`
type acct_t, acct_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,acct_exec_t,acct_t)
allow $1 acct_t:fd use;
allow acct_t $1:fd use;
allow acct_t $1:fifo_file rw_file_perms;
allow acct_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `acct_domtrans'($*)) dnl
')
########################################
##
## Execute accounting management tools in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`acct_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `acct_exec'($*)) dnl
gen_require(`
type acct_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,acct_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `acct_exec'($*)) dnl
')
########################################
##
## Execute accounting management data in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
# cjp: this is added for logrotate, and does
# not make sense to me.
define(`acct_exec_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `acct_exec_data'($*)) dnl
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1,acct_data_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `acct_exec_data'($*)) dnl
')
########################################
##
## Create, read, write, and delete process accounting data.
##
##
##
## The type of the process performing this action.
##
##
#
define(`acct_manage_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `acct_manage_data'($*)) dnl
gen_require(`
type acct_data_t;
')
files_search_var($1)
allow $1 acct_data_t:dir rw_dir_perms;
allow $1 acct_data_t:file create_file_perms;
allow $1 acct_data_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `acct_manage_data'($*)) dnl
')
## Ainit ALSA configuration tool
########################################
##
## Domain transition to alsa
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `alsa_domtrans'($*)) dnl
gen_require(`
type alsa_t;
type alsa_exec_t;
')
domain_auto_trans($1, alsa_exec_t, alsa_t)
allow $1 alsa_t:fd use;
allow alsa_t $1:fd use;
allow alsa_t $1:fifo_file rw_file_perms;
allow alsa_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `alsa_domtrans'($*)) dnl
')
########################################
##
## Allow read and write access to alsa semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_rw_semaphores',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `alsa_rw_semaphores'($*)) dnl
gen_require(`
type alsa_t;
')
allow $1 alsa_t:sem { unix_read unix_write associate read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `alsa_rw_semaphores'($*)) dnl
')
########################################
##
## Allow read and write access to alsa shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_rw_shared_mem',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `alsa_rw_shared_mem'($*)) dnl
gen_require(`
type alsa_t;
')
allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `alsa_rw_shared_mem'($*)) dnl
')
########################################
##
## Read alsa writable config files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_read_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `alsa_read_rw_config'($*)) dnl
gen_require(`
type alsa_etc_rw_t;
')
allow $1 alsa_etc_rw_t:dir r_dir_perms;
allow $1 alsa_etc_rw_t:file r_file_perms;
allow $1 alsa_etc_rw_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `alsa_read_rw_config'($*)) dnl
')
## Automated backup program.
########################################
##
## Execute amrecover in the amanda_recover domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`amanda_domtrans_recover',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_domtrans_recover'($*)) dnl
gen_require(`
type amanda_recover_t, amanda_recover_exec_t;
')
domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
allow $1 amanda_recover_t:fd use;
allow amanda_recover_t $1:fd use;
allow amanda_recover_t $1:fifo_file rw_file_perms;
allow amanda_recover_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_domtrans_recover'($*)) dnl
')
########################################
##
## Execute amrecover in the amanda_recover domain, and
## allow the specified role the amanda_recover domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the amanda_recover domain.
##
##
##
##
## The type of the terminal allow the amanda_recover domain to use.
##
##
##
#
define(`amanda_run_recover',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_run_recover'($*)) dnl
gen_require(`
type amanda_recover_t;
')
amanda_domtrans_recover($1)
role $2 types amanda_recover_t;
allow amanda_recover_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_run_recover'($*)) dnl
')
########################################
##
## Search amanda library directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`amanda_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_search_lib'($*)) dnl
gen_require(`
type amanda_usr_lib_t;
')
allow $1 amanda_usr_lib_t:dir search;
files_search_usr($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_search_lib'($*)) dnl
')
########################################
##
## Search amanda var library directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`amanda_search_var_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_search_var_lib'($*)) dnl
gen_require(`
type amanda_var_lib_t;
')
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_search_var_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to read /etc/dumpdates.
##
##
##
## Domain to not audit.
##
##
#
define(`amanda_dontaudit_read_dumpdates',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_dontaudit_read_dumpdates'($*)) dnl
gen_require(`
type amanda_dumpdates_t;
')
dontaudit $1 amanda_dumpdates_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_dontaudit_read_dumpdates'($*)) dnl
')
########################################
##
## Allow read/writing /etc/dumpdates.
##
##
##
## Domain to allow
##
##
#
define(`amanda_rw_dumpdates_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_rw_dumpdates_files'($*)) dnl
gen_require(`
type amanda_dumpdates_t;
')
allow $1 amanda_dumpdates_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_rw_dumpdates_files'($*)) dnl
')
########################################
##
## Allow read/writing amanda logs
##
##
##
## Domain to allow
##
##
#
define(`amanda_append_log_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_append_log_files'($*)) dnl
gen_require(`
type amanda_log_t;
')
allow $1 amanda_log_t:file ra_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_append_log_files'($*)) dnl
')
########################################
##
## Search amanda library directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`amanda_manage_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amanda_manage_lib'($*)) dnl
gen_require(`
type amanda_usr_lib_t;
')
allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amanda_manage_lib'($*)) dnl
')
##
## abstract Machine Test Utility
##
########################################
##
## Execute amtu in the amtu domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`amtu_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amtu_domtrans'($*)) dnl
gen_require(`
type amtu_t, amtu_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,amtu_exec_t,amtu_t)
allow amtu_t $1:fd use;
allow amtu_t $1:fifo_file rw_file_perms;
allow amtu_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amtu_domtrans'($*)) dnl
')
########################################
##
## Execute amtu in the amtu domain, and
## allow the specified role the amtu domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the amtu domain.
##
##
##
##
## The type of the terminal allow the amtu domain to use.
##
##
#
define(`amtu_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amtu_run'($*)) dnl
gen_require(`
type amtu_t;
')
amtu_domtrans($1)
role $2 types amtu_t;
allow amtu_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amtu_run'($*)) dnl
')
## Policy for the Anaconda installer.
## APT advanced package toll.
########################################
##
## Execute apt programs in the apt domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_domtrans'($*)) dnl
gen_require(`
type apt_t, apt_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,apt_exec_t,apt_t)
# allow basic communication
allow $1 apt_t:fd use;
allow apt_t $1:fd use;
allow apt_t $1:fifo_file rw_file_perms;
allow apt_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_domtrans'($*)) dnl
')
########################################
##
## Execute apt programs in the apt domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the apt domain.
##
##
##
##
## The type of the terminal allow the apt domain to use.
##
##
##
#
define(`apt_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_run'($*)) dnl
gen_require(`
type apt_t;
')
apt_domtrans($1)
role $2 types apt_t;
allow apt_t $3:chr_file rw_term_perms;
# TODO: likely have to add dpkg_run here.
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_run'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from apt.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_use_fds'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fd use;
# TODO: enforce dpkg_use_fd?
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_use_fds'($*)) dnl
')
########################################
##
## Read from an unnamed apt pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_read_pipes'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file r_file_perms;
# TODO: enforce dpkg_read_pipes?
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_read_pipes'($*)) dnl
')
########################################
##
## Read and write an unnamed apt pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_rw_pipes'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file rw_file_perms;
# TODO: enforce dpkg_rw_pipes?
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_rw_pipes'($*)) dnl
')
########################################
##
## Read the apt package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_read_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_read_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir r_dir_perms;
allow $1 apt_var_lib_t:file { getattr read };
allow $1 apt_var_lib_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_read_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete the apt package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apt_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_manage_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir rw_dir_perms;
allow $1 apt_var_lib_t:file { getattr create read write append unlink };
allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete the apt package database.
##
##
##
## Domain to not audit.
##
##
#
define(`apt_dontaudit_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apt_dontaudit_manage_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file create_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apt_dontaudit_manage_db'($*)) dnl
')
## System backup scripts
########################################
##
## Execute backup in the backup domain.
##
##
##
## Domain allowed access.
##
##
#
define(`backup_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `backup_domtrans'($*)) dnl
gen_require(`
type backup_t, backup_exec_t;
')
domain_auto_trans($1,backup_exec_t,backup_t)
allow backup_t $1:fd use;
allow backup_t $1:fifo_file rw_file_perms;
allow backup_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `backup_domtrans'($*)) dnl
')
########################################
##
## Execute backup in the backup domain, and
## allow the specified role the backup domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the backup domain.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`backup_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `backup_run'($*)) dnl
gen_require(`
type backup_t;
')
backup_domtrans($1)
role $2 types backup_t;
allow backup_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `backup_run'($*)) dnl
')
## Policy for the kernel modules, kernel image, and bootloader.
########################################
##
## Execute bootloader in the bootloader domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bootloader_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_domtrans'($*)) dnl
gen_require(`
type bootloader_t, bootloader_exec_t;
')
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
allow $1 bootloader_t:fd use;
allow bootloader_t $1:fd use;
allow bootloader_t $1:fifo_file rw_file_perms;
allow bootloader_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_domtrans'($*)) dnl
')
########################################
##
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the bootloader domain.
##
##
##
##
## The type of the terminal allow the bootloader domain to use.
##
##
##
#
define(`bootloader_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_run'($*)) dnl
gen_require(`
type bootloader_t;
')
bootloader_domtrans($1)
role $2 types bootloader_t;
allow bootloader_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_run'($*)) dnl
')
########################################
##
## Read the bootloader configuration file.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bootloader_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_read_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_read_config'($*)) dnl
')
########################################
##
## Read and write the bootloader
## configuration file.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`bootloader_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_rw_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_rw_config'($*)) dnl
')
########################################
##
## Read and write the bootloader
## temporary data in /tmp.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bootloader_rw_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_rw_tmp_files'($*)) dnl
gen_require(`
type bootloader_tmp_t;
')
# FIXME: read tmp_t dir
allow $1 bootloader_tmp_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_rw_tmp_files'($*)) dnl
')
########################################
##
## Read and write the bootloader
## temporary data in /tmp.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bootloader_create_runtime_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bootloader_create_runtime_file'($*)) dnl
gen_require(`
type boot_t, boot_runtime_t;
')
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bootloader_create_runtime_file'($*)) dnl
')
## Utilities for configuring the linux ethernet bridge
########################################
##
## Execute a domain transition to run brctl.
##
##
##
## Domain allowed to transition.
##
##
#
define(`brctl_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `brctl_domtrans'($*)) dnl
gen_require(`
type brctl_t, brctl_exec_t;
')
domtrans_pattern($1, brctl_exec_t, brctl_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `brctl_domtrans'($*)) dnl
')
## Digital Certificate Tracking
########################################
##
## Domain transition to certwatch.
##
##
##
## Domain allowed access.
##
##
#
define(`certwatch_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `certwatch_domtrans'($*)) dnl
gen_require(`
type certwatch_exec_t, certwatch_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,certwatch_exec_t,certwatch_t)
allow $1 certwatch_t:fd use;
allow certwatch_t $1:fd use;
allow certwatch_t $1:fifo_file rw_file_perms;
allow certwatch_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `certwatch_domtrans'($*)) dnl
')
########################################
##
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the certwatch domain.
##
##
##
##
## The type of the terminal allow the certwatch domain to use.
##
##
##
#
define(`certwatach_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `certwatach_run'($*)) dnl
gen_require(`
type certwatch_t;
')
certwatch_domtrans($1)
role $2 types certwatch_t;
allow certwatch_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `certwatach_run'($*)) dnl
')
##
## Determine of the console connected to the controlling terminal.
##
########################################
##
## Execute consoletype in the consoletype domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`consoletype_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `consoletype_domtrans'($*)) dnl
gen_require(`
type consoletype_t, consoletype_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
allow $1 consoletype_t:fd use;
allow consoletype_t $1:fd use;
allow consoletype_t $1:fifo_file rw_file_perms;
allow consoletype_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `consoletype_domtrans'($*)) dnl
')
########################################
##
## Execute consoletype in the consoletype domain, and
## allow the specified role the consoletype domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the consoletype domain.
##
##
##
##
## The type of the terminal allow the consoletype domain to use.
##
##
#
define(`consoletype_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `consoletype_run'($*)) dnl
gen_require(`
type consoletype_t;
')
consoletype_domtrans($1)
role $2 types consoletype_t;
allow consoletype_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `consoletype_run'($*)) dnl
')
########################################
##
## Execute consoletype in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`consoletype_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `consoletype_exec'($*)) dnl
gen_require(`
type consoletype_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,consoletype_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `consoletype_exec'($*)) dnl
')
## ddcprobe retrieves monitor and graphics card information
########################################
##
## Execute ddcprobe in the ddcprobe domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ddcprobe_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ddcprobe_domtrans'($*)) dnl
gen_require(`
type ddcprobe_t, ddcprobe_exec_t;
')
domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
allow $1 ddcprobe_t:fd use;
allow ddcprobe_t $1:fd use;
allow ddcprobe_t $1:fifo_file rw_file_perms;
allow ddcprobe_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ddcprobe_domtrans'($*)) dnl
')
########################################
##
## Execute ddcprobe in the ddcprobe domain, and
## allow the specified role the ddcprobe domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## Role to be authenticated for ddcprobe domain.
##
##
##
##
## The type of the terminal allow the clock domain to use.
##
##
##
#
define(`ddcprobe_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ddcprobe_run'($*)) dnl
gen_require(`
type ddcprobe_t;
')
ddcprobe_domtrans($1)
role $2 types ddcprobe_t;
allow ddcprobe_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ddcprobe_run'($*)) dnl
')
## Policy for dmesg.
########################################
##
## Execute dmesg in the dmesg domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dmesg_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dmesg_domtrans'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type dmesg_exec_t;
')
# $0(): disabled in targeted policy as there
# is no dmesg domain.
',`
gen_require(`
type dmesg_t, dmesg_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,dmesg_exec_t,dmesg_t)
allow $1 dmesg_t:fd use;
allow dmesg_t $1:fd use;
allow dmesg_t $1:fifo_file rw_file_perms;
allow dmesg_t $1:process sigchld;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dmesg_domtrans'($*)) dnl
')
########################################
##
## Execute dmesg in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`dmesg_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dmesg_exec'($*)) dnl
ifdef(`targeted_policy',`
# $0(): the dmesg program is an alias
# of generic bin programs.
corecmd_exec_bin($1)
',`
gen_require(`
type dmesg_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,dmesg_exec_t)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dmesg_exec'($*)) dnl
')
## Decode DMI data for x86/ia64 bioses.
########################################
##
## Execute dmidecode in the dmidecode domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dmidecode_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dmidecode_domtrans'($*)) dnl
gen_require(`
type dmidecode_t, dmidecode_exec_t;
')
domain_auto_trans($1,dmidecode_exec_t,dmidecode_t)
allow $1 dmidecode_t:fd use;
allow dmidecode_t $1:fd use;
allow dmidecode_t $1:fifo_file rw_file_perms;
allow dmidecode_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dmidecode_domtrans'($*)) dnl
')
########################################
##
## Execute dmidecode in the dmidecode domain, and
## allow the specified role the dmidecode domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the dmidecode domain.
##
##
##
##
## The type of the terminal allow the dmidecode domain to use.
##
##
##
#
define(`dmidecode_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dmidecode_run'($*)) dnl
gen_require(`
type dmidecode_t;
')
dmidecode_domtrans($1)
role $2 types dmidecode_t;
allow dmidecode_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dmidecode_run'($*)) dnl
')
## Policy for the Debian package manager.
# TODO: need debconf policy
# TODO: need install-menu policy
########################################
##
## Execute dpkg programs in the dpkg domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_domtrans'($*)) dnl
gen_require(`
type dpkg_t, dpkg_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,dpkg_exec_t,dpkg_t)
# allow basic communication
allow $1 dpkg_t:fd use;
allow dpkg_t $1:fd use;
allow dpkg_t $1:fifo_file rw_file_perms;
allow dpkg_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_domtrans'($*)) dnl
')
########################################
##
## Execute dpkg_script programs in the dpkg_script domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_domtrans_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_domtrans_script'($*)) dnl
gen_require(`
type dpkg_script_t;
')
# transition to dpkg script:
corecmd_shell_domtrans($1,dpkg_script_t)
allow $1 dpkg_script_t:fd use;
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_domtrans_script'($*)) dnl
')
########################################
##
## Execute dpkg programs in the dpkg domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the dpkg domain.
##
##
##
##
## The type of the terminal allow the dpkg domain to use.
##
##
##
#
define(`dpkg_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_run'($*)) dnl
gen_require(`
type dpkg_t, dpkg_script_t;
')
dpkg_domtrans($1)
role $2 types dpkg_t;
role $2 types dpkg_script_t;
seutil_run_loadpolicy(dpkg_script_t,$2,$3)
allow dpkg_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_run'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from dpkg.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_use_fds'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_use_fds'($*)) dnl
')
########################################
##
## Read from an unnamed dpkg pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_read_pipes'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_read_pipes'($*)) dnl
')
########################################
##
## Read and write an unnamed dpkg pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_rw_pipes'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_rw_pipes'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from dpkg scripts.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_use_script_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_use_script_fds'($*)) dnl
gen_require(`
type dpkg_script_t;
')
allow $1 dpkg_script_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_use_script_fds'($*)) dnl
')
########################################
##
## Read the dpkg package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_read_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_read_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir r_dir_perms;
allow $1 dpkg_var_lib_t:file { getattr read };
allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_read_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete the dpkg package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_manage_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir rw_dir_perms;
allow $1 dpkg_var_lib_t:file manage_file_perms;
allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete the dpkg package database.
##
##
##
## Domain to not audit.
##
##
#
define(`dpkg_dontaudit_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_dontaudit_manage_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_dontaudit_manage_db'($*)) dnl
')
########################################
##
## Lock the dpkg package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dpkg_lock_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dpkg_lock_db'($*)) dnl
gen_require(`
type dpkg_lock_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir r_dir_perms;
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dpkg_lock_db'($*)) dnl
')
##
## Final system configuration run during the first boot
## after installation of Red Hat/Fedora systems.
##
########################################
##
## Execute firstboot in the firstboot domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`firstboot_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_domtrans'($*)) dnl
gen_require(`
type firstboot_t, firstboot_exec_t;
')
domain_auto_trans($1,firstboot_exec_t,firstboot_t)
allow $1 firstboot_t:fd use;
allow firstboot_t $1:fd use;
allow firstboot_t $1:fifo_file rw_file_perms;
allow firstboot_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_domtrans'($*)) dnl
')
########################################
##
## Execute firstboot in the firstboot domain, and
## allow the specified role the firstboot domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the firstboot domain.
##
##
##
##
## The type of the terminal allow the firstboot domain to use.
##
##
#
define(`firstboot_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_run'($*)) dnl
gen_require(`
type firstboot_t;
')
firstboot_domtrans($1)
role $2 types firstboot_t;
allow firstboot_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_run'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor from firstboot.
##
##
##
## The type of the process performing this action.
##
##
#
define(`firstboot_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_use_fds'($*)) dnl
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit a
## file descriptor from firstboot.
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_use_fds'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read Write to a firstboot unnamed pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`firstboot_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_rw_pipes'($*)) dnl
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attemps to read and write to a firstboot unnamed pipe.
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_pipes'($*)) dnl
')
## Hardware detection and configuration tools
########################################
##
## Execute kudzu in the kudzu domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`kudzu_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kudzu_domtrans'($*)) dnl
gen_require(`
type kudzu_t, kudzu_exec_t;
')
domain_auto_trans($1,kudzu_exec_t,kudzu_t)
allow $1 kudzu_t:fd use;
allow kudzu_t $1:fd use;
allow kudzu_t $1:fifo_file rw_file_perms;
allow kudzu_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kudzu_domtrans'($*)) dnl
')
########################################
##
## Execute kudzu in the kudzu domain, and
## allow the specified role the kudzu domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the kudzu domain.
##
##
##
##
## The type of the terminal allow the kudzu domain to use.
##
##
##
#
define(`kudzu_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kudzu_run'($*)) dnl
gen_require(`
type kudzu_t;
')
kudzu_domtrans($1)
role $2 types kudzu_t;
allow kudzu_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kudzu_run'($*)) dnl
')
########################################
##
## Get attributes of kudzu executable.
##
##
##
## The type of the process performing this action.
##
##
#
# cjp: added for ddcprobe
define(`kudzu_getattr_exec_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kudzu_getattr_exec_files'($*)) dnl
gen_require(`
type kudzu_exec_t;
')
allow $1 kudzu_exec_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kudzu_getattr_exec_files'($*)) dnl
')
## Rotate and archive system logs
########################################
##
## Execute logrotate in the logrotate domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`logrotate_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_domtrans'($*)) dnl
gen_require(`
type logrotate_t, logrotate_exec_t;
')
domain_auto_trans($1,logrotate_exec_t,logrotate_t)
allow $1 logrotate_t:fd use;
allow logrotate_t $1:fd use;
allow logrotate_t $1:fifo_file rw_file_perms;
allow logrotate_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_domtrans'($*)) dnl
')
########################################
##
## Execute logrotate in the logrotate domain, and
## allow the specified role the logrotate domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the logrotate domain.
##
##
##
##
## The type of the terminal allow the logrotate domain to use.
##
##
##
#
define(`logrotate_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_run'($*)) dnl
gen_require(`
type logrotate_t;
')
logrotate_domtrans($1)
role $2 types logrotate_t;
allow logrotate_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_run'($*)) dnl
')
########################################
##
## Execute logrotate in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`logrotate_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_exec'($*)) dnl
gen_require(`
type logrotate_exec_t;
')
can_exec($1,logrotate_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_exec'($*)) dnl
')
########################################
##
## Inherit and use logrotate file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`logrotate_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_use_fds'($*)) dnl
gen_require(`
type logrotate_t;
')
allow $1 logrotate_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit logrotate file descriptors.
##
##
##
## The type of the process to not audit.
##
##
#
define(`logrotate_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_dontaudit_use_fds'($*)) dnl
gen_require(`
type logrotate_t;
')
dontaudit $1 logrotate_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read a logrotate temporary files.
##
##
##
## The type of the process to not audit.
##
##
#
define(`logrotate_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logrotate_read_tmp_files'($*)) dnl
gen_require(`
type logrotate_tmp_t;
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logrotate_read_tmp_files'($*)) dnl
')
## System log analyzer and reporter
########################################
##
## Read logwatch temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`logwatch_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logwatch_read_tmp_files'($*)) dnl
gen_require(`
type logwatch_tmp_t;
')
files_search_tmp($1)
allow $1 logwatch_tmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logwatch_read_tmp_files'($*)) dnl
')
########################################
##
## Search logwatch cache directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logwatch_search_cache_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logwatch_search_cache_dir'($*)) dnl
gen_require(`
type logwatch_cache_t;
')
allow $1 logwatch_cache_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logwatch_search_cache_dir'($*)) dnl
')
## Network traffic graphing
########################################
##
## Create and append mrtg logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mrtg_append_create_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mrtg_append_create_logs'($*)) dnl
gen_require(`
type mrtg_log_t;
')
allow $1 mrtg_log_t:dir rw_dir_perms;
allow $1 mrtg_log_t:file { create append getattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mrtg_append_create_logs'($*)) dnl
')
## Network analysis utilities
########################################
##
## Execute network utilities in the netutils domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans'($*)) dnl
gen_require(`
type netutils_t, netutils_exec_t;
')
domain_auto_trans($1,netutils_exec_t,netutils_t)
allow $1 netutils_t:fd use;
allow netutils_t $1:fd use;
allow netutils_t $1:fifo_file rw_file_perms;
allow netutils_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans'($*)) dnl
')
########################################
##
## Execute network utilities in the netutils domain, and
## allow the specified role the netutils domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the netutils domain.
##
##
##
##
## The type of the terminal allow the netutils domain to use.
##
##
##
#
define(`netutils_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_run'($*)) dnl
gen_require(`
type netutils_t;
')
netutils_domtrans($1)
role $2 types netutils_t;
allow netutils_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_run'($*)) dnl
')
########################################
##
## Execute network utilities in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec'($*)) dnl
gen_require(`
type netutils_exec_t;
')
can_exec($1,netutils_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec'($*)) dnl
')
########################################
##
## Execute ping in the ping domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_domtrans_ping',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans_ping'($*)) dnl
gen_require(`
type ping_t, ping_exec_t;
')
domain_auto_trans($1,ping_exec_t,ping_t)
allow $1 ping_t:fd use;
allow ping_t $1:fd use;
allow ping_t $1:fifo_file rw_file_perms;
allow ping_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans_ping'($*)) dnl
')
########################################
##
## Send a kill (SIGKILL) signal to ping.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_kill_ping',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_kill_ping'($*)) dnl
gen_require(`
type ping_t;
')
allow $1 ping_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_kill_ping'($*)) dnl
')
########################################
##
## Send generic signals to ping.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_signal_ping',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_signal_ping'($*)) dnl
gen_require(`
type ping_t;
')
allow $1 ping_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_signal_ping'($*)) dnl
')
########################################
##
## Execute ping in the ping domain, and
## allow the specified role the ping domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the ping domain.
##
##
##
##
## The type of the terminal allow the ping domain to use.
##
##
##
#
define(`netutils_run_ping',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_ping'($*)) dnl
gen_require(`
type ping_t;
')
netutils_domtrans_ping($1)
role $2 types ping_t;
allow ping_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_ping'($*)) dnl
')
########################################
##
## Conditionally execute ping in the ping domain, and
## allow the specified role the ping domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the ping domain.
##
##
##
##
## The type of the terminal allow the ping domain to use.
##
##
##
#
define(`netutils_run_ping_cond',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_ping_cond'($*)) dnl
gen_require(`
type ping_t;
bool user_ping;
')
role $2 types ping_t;
if ( user_ping ) {
netutils_domtrans_ping($1)
allow ping_t $3:chr_file rw_term_perms;
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_ping_cond'($*)) dnl
')
########################################
##
## Execute ping in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec_ping',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec_ping'($*)) dnl
gen_require(`
type ping_exec_t;
')
can_exec($1,ping_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec_ping'($*)) dnl
')
########################################
##
## Execute traceroute in the traceroute domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_domtrans_traceroute',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans_traceroute'($*)) dnl
gen_require(`
type traceroute_t, traceroute_exec_t;
')
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
allow $1 traceroute_t:fd use;
allow traceroute_t $1:fd use;
allow traceroute_t $1:fifo_file rw_file_perms;
allow traceroute_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans_traceroute'($*)) dnl
')
########################################
##
## Execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the traceroute domain.
##
##
##
##
## The type of the terminal allow the traceroute domain to use.
##
##
##
#
define(`netutils_run_traceroute',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute'($*)) dnl
gen_require(`
type traceroute_t;
')
netutils_domtrans_traceroute($1)
role $2 types traceroute_t;
allow traceroute_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_traceroute'($*)) dnl
')
########################################
##
## Conditionally execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the traceroute domain.
##
##
##
##
## The type of the terminal allow the traceroute domain to use.
##
##
##
#
define(`netutils_run_traceroute_cond',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute_cond'($*)) dnl
gen_require(`
type traceroute_t;
bool user_ping;
')
role $2 types traceroute_t;
if( user_ping ) {
netutils_domtrans_traceroute($1)
allow traceroute_t $3:chr_file rw_term_perms;
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_traceroute_cond'($*)) dnl
')
########################################
##
## Execute traceroute in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec_traceroute',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec_traceroute'($*)) dnl
gen_require(`
type traceroute_exec_t;
')
can_exec($1,traceroute_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec_traceroute'($*)) dnl
')
##
## Portage Package Management System. The primary package management and
## distribution system for Gentoo.
##
########################################
##
## Execute emerge in the portage domain.
##
##
##
## Domain allowed access.
##
##
#
define(`portage_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_domtrans'($*)) dnl
gen_require(`
type portage_t, portage_t.merge, portage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
# constraining domain
domain_trans($1,portage_exec_t,portage_t)
allow portage_t $1:fd use;
allow portage_t $1:fifo_file rw_file_perms;
allow portage_t $1:process sigchld;
# transition to portage
domain_auto_trans($1,portage_exec_t,portage_t.merge)
allow portage_t.merge $1:fd use;
allow portage_t.merge $1:fifo_file rw_file_perms;
allow portage_t.merge $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_domtrans'($*)) dnl
')
########################################
##
## Execute emerge in the portage domain, and
## allow the specified role the portage domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the portage domain.
##
##
##
##
## The type of the terminal allow for portage to use.
##
##
##
#
define(`portage_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_run'($*)) dnl
gen_require(`
type portage_t;
type portage_t.merge, portage_t.fetch, portage_t.sandbox;
')
portage_domtrans($1)
# constraining access
role $2 types portage_t;
allow portage_t $3:chr_file rw_term_perms;
# specific access
role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
allow portage_t.merge $3:chr_file rw_term_perms;
allow portage_t.fetch $3:chr_file rw_term_perms;
allow portage_t.sandbox $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_run'($*)) dnl
')
########################################
##
## Template for portage sandbox.
##
##
##
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
##
##
##
##
## Domain Allowed Access
##
##
#
define(`portage_compile_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_compile_domain'($*)) dnl
gen_require(`
class dbus send_msg;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1,portage_devpts_t)
# write compile logs
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { append write setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
allow $1 portage_tmp_t:dir manage_dir_perms;
allow $1 portage_tmp_t:file manage_file_perms;
allow $1 portage_tmp_t:lnk_file create_lnk_perms;
allow $1 portage_tmp_t:fifo_file manage_file_perms;
allow $1 portage_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
allow $1 portage_tmpfs_t:dir rw_dir_perms;
allow $1 portage_tmpfs_t:file manage_file_perms;
allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
allow $1 portage_tmpfs_t:sock_file manage_file_perms;
allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
files_exec_etc_files($1)
files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1)
# needed for merging dbus:
selinux_compute_access_vector($1)
auth_read_all_dirs_except_shadow($1)
auth_read_all_files_except_shadow($1)
auth_read_all_symlinks_except_shadow($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
# this violates the idea of sandbox, but
# regular sandbox allows it
libs_domtrans_ldconfig($1)
logging_send_syslog_msg($1)
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_compile_domain'($*)) dnl
')
########################################
##
## Template for portage fetch.
##
##
##
## Domain Allowed Access
##
##
#
define(`portage_fetch_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_fetch_domain'($*)) dnl
allow $1 self:capability { dac_override fowner fsetid };
allow $1 self:process signal;
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
allow $1 portage_conf_t:file read_file_perms;
allow $1 portage_ebuild_t:dir manage_dir_perms;
allow $1 portage_ebuild_t:file manage_file_perms;
allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
allow $1 portage_fetch_tmp_t:file manage_file_perms;
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit $1 portage_tmp_t:dir search_dir_perms;
kernel_read_system_state($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_bin($1)
corecmd_exec_sbin($1)
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
dev_dontaudit_read_rand($1)
domain_use_interactive_fds($1)
files_read_etc_files($1)
files_read_etc_runtime_files($1)
files_search_var($1)
files_dontaudit_search_pids($1)
term_search_ptys($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
miscfiles_read_localization($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
userdom_dontaudit_read_sysadm_home_content_files($1)
ifdef(`hide_broken_symptoms',`
dontaudit $1 portage_cache_t:file read;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_fetch_domain'($*)) dnl
')
########################################
##
## Template for portage main.
##
##
##
## Domain Allowed Access
##
##
#
define(`portage_main_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_main_domain'($*)) dnl
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow $1 self:process { setfscreate setexec };
# if sesandbox is disabled, compiles are
# performed in the main domain
portage_compile_domain($1)
allow $1 portage_log_t:file create_file_perms;
logging_log_filetrans($1,portage_log_t,file)
# run scripts out of the build directory
can_exec($1,portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files($1)
domain_dontaudit_read_all_domains_state($1)
# modify any files in the system
files_manage_all_files($1)
selinux_get_fs_mount($1)
auth_manage_shadow($1)
# merging baselayout will need this:
init_exec($1)
# run setfiles -r
seutil_domtrans_setfiles($1)
# run semodule
seutil_domtrans_semanage($1)
portage_domtrans_gcc_config($1)
optional_policy(`
bootloader_domtrans($1)
')
optional_policy(`
modutils_domtrans_depmod($1)
modutils_domtrans_update_mods($1)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd($1)
usermanage_domtrans_useradd($1)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_main_domain'($*)) dnl
')
########################################
##
## Execute gcc-config in the gcc_config domain.
##
##
##
## Domain allowed access.
##
##
#
define(`portage_domtrans_gcc_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_domtrans_gcc_config'($*)) dnl
gen_require(`
type gcc_config_t, gcc_config_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
allow gcc_config_t $1:fd use;
allow gcc_config_t $1:fifo_file rw_file_perms;
allow gcc_config_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_domtrans_gcc_config'($*)) dnl
')
########################################
##
## Execute gcc-config in the gcc_config domain, and
## allow the specified role the gcc_config domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the gcc_config domain.
##
##
##
##
## The type of the terminal allow for gcc_config to use.
##
##
##
#
define(`portage_run_gcc_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portage_run_gcc_config'($*)) dnl
gen_require(`
type gcc_config_t;
')
portage_domtrans_gcc_config($1)
# constraining access
role $2 types gcc_config_t;
allow gcc_config_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portage_run_gcc_config'($*)) dnl
')
## Prelink ELF shared library mappings.
########################################
##
## Execute the prelink program in the prelink domain.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelink_domtrans'($*)) dnl
gen_require(`
type prelink_t, prelink_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, prelink_exec_t, prelink_t)
allow $1 prelink_t:fd use;
allow prelink_t $1:fd use;
allow prelink_t $1:fifo_file rw_file_perms;
allow prelink_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelink_domtrans'($*)) dnl
')
########################################
##
## Make the specified file type prelinkable.
##
##
##
## File type to be prelinked.
##
##
#
# cjp: added for misc non-entrypoint objects
define(`prelink_object_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelink_object_file'($*)) dnl
gen_require(`
attribute prelink_object;
')
typeattribute $1 prelink_object;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelink_object_file'($*)) dnl
')
########################################
##
## Read the prelink cache.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_read_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelink_read_cache'($*)) dnl
gen_require(`
type prelink_cache_t;
')
files_search_etc($1)
allow $1 prelink_cache_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelink_read_cache'($*)) dnl
')
########################################
##
## Delete the prelink cache.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_delete_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelink_delete_cache'($*)) dnl
gen_require(`
type prelink_cache_t;
')
allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelink_delete_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## prelink log files.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelink_manage_log'($*)) dnl
gen_require(`
type prelink_log_t;
')
logging_search_logs($1)
allow $1 prelink_log_t:dir rw_dir_perms;
allow $1 prelink_log_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelink_manage_log'($*)) dnl
')
## File system quota management
########################################
##
## Execute quota management tools in the quota domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`quota_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `quota_domtrans'($*)) dnl
gen_require(`
type quota_t, quota_exec_t;
')
domain_auto_trans($1,quota_exec_t,quota_t)
allow $1 quota_t:fd use;
allow quota_t $1:fd use;
allow quota_t $1:fifo_file rw_file_perms;
allow quota_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `quota_domtrans'($*)) dnl
')
########################################
##
## Execute quota management tools in the quota domain, and
## allow the specified role the quota domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the quota domain.
##
##
##
##
## The type of the terminal allow the quota domain to use.
##
##
##
#
define(`quota_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `quota_run'($*)) dnl
gen_require(`
type quota_t;
')
quota_domtrans($1)
role $2 types quota_t;
allow quota_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `quota_run'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of filesystem quota data files.
##
##
##
## Domain to not audit.
##
##
#
define(`quota_dontaudit_getattr_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `quota_dontaudit_getattr_db'($*)) dnl
gen_require(`
type quota_db_t;
')
dontaudit $1 quota_db_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `quota_dontaudit_getattr_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete quota
## flag files.
##
##
##
## Domain to not audit.
##
##
#
define(`quota_manage_flags',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `quota_manage_flags'($*)) dnl
gen_require(`
type quota_flag_t;
')
files_search_var_lib($1)
allow $1 quota_flag_t:dir rw_dir_perms;
allow $1 quota_flag_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `quota_manage_flags'($*)) dnl
')
## Readahead, read files into page cache for improved performance
## Policy for the RPM package manager.
########################################
##
## Execute rpm programs in the rpm domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_domtrans'($*)) dnl
gen_require(`
type rpm_t, rpm_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,rpm_exec_t,rpm_t)
allow $1 rpm_t:fd use;
allow rpm_t $1:fd use;
allow rpm_t $1:fifo_file rw_file_perms;
allow rpm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_domtrans'($*)) dnl
')
########################################
##
## Execute rpm_script programs in the rpm_script domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_domtrans_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_domtrans_script'($*)) dnl
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1,rpm_script_t)
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_domtrans_script'($*)) dnl
')
########################################
##
## Execute RPM programs in the RPM domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the RPM domain.
##
##
##
##
## The type of the terminal allow the RPM domain to use.
##
##
##
#
define(`rpm_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_run'($*)) dnl
gen_require(`
type rpm_t, rpm_script_t;
')
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
seutil_run_loadpolicy(rpm_script_t,$2,$3)
seutil_run_semanage(rpm_script_t,$2,$3)
seutil_run_setfiles(rpm_script_t,$2,$3)
seutil_run_restorecon(rpm_script_t,$2,$3)
allow rpm_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_run'($*)) dnl
')
########################################
##
## Execute the rpm client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_exec'($*)) dnl
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1,rpm_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_exec'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from RPM.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_use_fds'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_use_fds'($*)) dnl
')
########################################
##
## Read from an unnamed RPM pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_pipes'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_pipes'($*)) dnl
')
########################################
##
## Read and write an unnamed RPM pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_rw_pipes'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_rw_pipes'($*)) dnl
')
########################################
##
## Send and receive messages from
## rpm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_dbus_chat'($*)) dnl
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## rpm_script over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_script_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_script_dbus_chat'($*)) dnl
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_script_dbus_chat'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM log.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_log'($*)) dnl
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_log'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from RPM scripts.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_use_script_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_use_script_fds'($*)) dnl
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_use_script_fds'($*)) dnl
')
########################################
##
## dontaudit and use file descriptors from RPM scripts.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_dontaudit_use_script_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_use_script_fds'($*)) dnl
gen_require(`
type rpm_script_t;
')
dontaudit $1 rpm_script_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_use_script_fds'($*)) dnl
')
########################################
##
## Read the RPM package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_read_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM package database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file manage_file_perms;
allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_manage_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_manage_db'($*)) dnl
')
########################################
##
## Allow application to transition to rpm_script domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_transition_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_transition_script'($*)) dnl
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:process transition;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_transition_script'($*)) dnl
')
########################################
##
## Do not audit attempts to read,
## write RPM tmp files
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_rw_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_rw_tmp_files'($*)) dnl
gen_require(`
type rpm_tmp_t;
')
dontaudit $1 rpm_tmp_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_rw_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete RPM
## script temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_script_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_script_tmp_files'($*)) dnl
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
allow $1 rpm_script_tmp_t:dir manage_dir_perms;
allow $1 rpm_script_tmp_t:file manage_file_perms;
allow $1 rpm_script_tmp_t:lnk_file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_script_tmp_files'($*)) dnl
')
########################################
##
## read, RPM
## script temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_script_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_script_tmp_files'($*)) dnl
gen_require(`
type rpm_script_tmp_t;
')
allow $1 rpm_script_tmp_t:dir search_dir_perms;
allow $1 rpm_script_tmp_t:file r_file_perms;
allow $1 rpm_script_tmp_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_script_tmp_files'($*)) dnl
')
########################################
##
## dontaudit read and write an unnamed RPM pipe.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpm_dontaudit_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type rpm_t;
')
dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_rw_pipes'($*)) dnl
')
## Execute a command with a substitute user
#######################################
##
## The per role template for the sudo module.
##
##
##
## This template creates a derived domain which is allowed
## to change the linux user id, to run commands as a different
## user.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`sudo_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sudo_per_role_template'($*)) dnl
gen_require(`
type sudo_exec_t;
bool secure_mode;
')
##############################
#
# Declarations
#
type $1_sudo_t;
domain_type($1_sudo_t)
domain_entry_file($1_sudo_t,sudo_exec_t)
domain_interactive_fd($1_sudo_t)
role $3 types $1_sudo_t;
##############################
#
# Local Policy
#
# Use capabilities.
allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_file_perms;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
allow $1_sudo_t self:msg { send receive };
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
logging_send_audit_msgs($1_sudo_t)
allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
# Enter this derived domain from the user domain
domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
allow $1_sudo_t $2:fd use;
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
allow $2 $1_sudo_t:fd use;
allow $1_sudo_t $2:fd use;
allow $1_sudo_t $2:fifo_file rw_file_perms;
allow $1_sudo_t $2:process sigchld;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
kernel_search_key($1_sudo_t)
dev_read_urand($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
auth_domtrans_chk_passwd($1_sudo_t)
auth_domtrans_upd_passwd($1_sudo_t)
auth_manage_pam_pid($1_sudo_t)
corecmd_read_sbin_symlinks($1_sudo_t)
corecmd_getattr_all_executables($1_sudo_t)
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
domain_getattr_all_entry_files($1_sudo_t)
files_read_etc_files($1_sudo_t)
files_read_var_files($1_sudo_t)
files_read_usr_symlinks($1_sudo_t)
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
init_rw_utmp($1_sudo_t)
libs_use_ld_so($1_sudo_t)
libs_use_shared_libs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
userdom_manage_user_home_content_files($1,$1_sudo_t)
userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
userdom_manage_user_tmp_files($1,$1_sudo_t)
userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
userdom_use_user_terminals($1,$1_sudo_t)
userdom_use_unpriv_users_fds($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
optional_policy(`
nis_use_ypbind($1_sudo_t)
')
optional_policy(`
nscd_socket_use($1_sudo_t)
')
ifdef(`TODO',`
# for when the network connection is killed
dontaudit unpriv_userdomain $1_sudo_t:process signal;
ifdef(`mta.te', `
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
')
') dnl end TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sudo_per_role_template'($*)) dnl
')
## Run shells with substitute user and group
#######################################
##
## Restricted su domain template.
##
##
##
## This template creates a derived domain which is allowed
## to change the linux user id, to run shells as a different
## user.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`su_restricted_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `su_restricted_domain_template'($*)) dnl
gen_require(`
type su_exec_t;
attribute su_domain_type;
')
type $1_su_t, su_domain_type;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
logging_send_audit_msgs($1_su_t)
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
kernel_link_key($1_su_t)
# for SSP
dev_read_urand($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
# for the rootok check
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
auth_domtrans_upd_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
domain_use_interactive_fds($1_su_t)
init_dontaudit_use_fds($1_su_t)
init_dontaudit_use_script_ptys($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
')
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`
kerberos_use($1_su_t)
')
ifdef(`TODO',`
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
') dnl end TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `su_restricted_domain_template'($*)) dnl
')
#######################################
##
## The per role template for the su module.
##
##
##
## This template creates a derived domain which is allowed
## to change the linux user id, to run shells as a different
## user.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`su_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `su_per_role_template'($*)) dnl
gen_require(`
type su_exec_t;
bool secure_mode;
')
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
logging_send_audit_msgs($1_su_t)
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
kernel_link_key($1_su_t)
# for SSP
dev_read_urand($1_su_t)
fs_search_auto_mountpoints($1_su_t)
auth_domtrans_user_chk_passwd($1,$1_su_t)
auth_domtrans_upd_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_keyring_domain($1_su_t)
auth_search_key($1_su_t)
corecmd_search_bin($1_su_t)
corecmd_search_sbin($1_su_t)
domain_use_interactive_fds($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
init_dontaudit_use_fds($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
mls_file_write_down($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
selinux_compute_access_vector($1_su_t)
# Modify .Xauthority file (via xauth program).
optional_policy(`
xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
xserver_domtrans_user_xauth($1, $1_su_t)
')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_user_ttys($1_su_t)
term_relabel_all_user_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_user_ttys($1_su_t)
term_use_all_user_ptys($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
ifdef(`strict_policy',`
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
')
ifdef(`targeted_policy',`
unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t)
')
')
ifdef(`targeted_policy',`
# allow user to suspend terminal.
# does not work in strict since the
# parent may not be able to use
# the terminal if we newrole,
# which relabels the terminal.
allow $1_su_t self:process sigstop;
corecmd_exec_bin($1_su_t)
userdom_manage_all_users_home_content_files($1_su_t)
userdom_manage_all_users_home_content_symlinks($1_su_t)
')
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs($1_su_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs($1_su_t)
')
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`
kerberos_use($1_su_t)
')
userdom_search_all_users_home_dirs($1_su_t)
ifdef(`TODO',`
allow $1_su_t $1_home_t:file create_file_perms;
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
') dnl end TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `su_per_role_template'($*)) dnl
')
#######################################
##
## Execute su in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`su_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `su_exec'($*)) dnl
gen_require(`
type su_exec_t;
')
can_exec($1,su_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `su_exec'($*)) dnl
')
## SUID/SGID program monitoring
########################################
##
## Allow the specified domain to read
## sxid log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sxid_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sxid_read_log'($*)) dnl
gen_require(`
type sxid_log_t;
')
logging_search_logs($1)
allow $1 sxid_log_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sxid_read_log'($*)) dnl
')
## Manage temporary directory sizes and file ages
########################################
##
## Execute tmpreaper in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`tmpreaper_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tmpreaper_exec'($*)) dnl
gen_require(`
type tmpreaper_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
can_exec($1,tmpreaper_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tmpreaper_exec'($*)) dnl
')
## Tripwire file integrity checker.
##
##
## Tripwire file integrity checker.
##
##
## NOTE: Tripwire creates temp file in its current working directory.
## This policy does not allow write access to home directories, so
## users will need to either cd to a directory where they have write
## permission, or set the TEMPDIRECTORY variable in the tripwire config
## file. The latter is preferable, as then the file_type_auto_trans
## rules will kick in and label the files as private to tripwire.
##
##
########################################
##
## Execute tripwire in the tripwire domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tripwire_domtrans_tripwire',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_tripwire'($*)) dnl
gen_require(`
type tripwire_t, tripwire_exec_t;
')
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
allow tripwire_t $1:fd use;
allow tripwire_t $1:fifo_file rw_file_perms;
allow tripwire_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_tripwire'($*)) dnl
')
########################################
##
## Execute tripwire in the tripwire domain, and
## allow the specified role the tripwire domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the tripwire domain.
##
##
##
##
## The type of the terminal allow the tripwire domain to use.
##
##
##
#
define(`tripwire_run_tripwire',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_tripwire'($*)) dnl
gen_require(`
type tripwire_t;
')
tripwire_domtrans_tripwire($1)
role $2 types tripwire_t;
allow tripwire_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_tripwire'($*)) dnl
')
########################################
##
## Execute twadmin in the twadmin domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tripwire_domtrans_twadmin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twadmin'($*)) dnl
gen_require(`
type twadmin_t, twadmin_exec_t;
')
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
allow twadmin_t $1:fd use;
allow twadmin_t $1:fifo_file rw_file_perms;
allow twadmin_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twadmin'($*)) dnl
')
########################################
##
## Execute twadmin in the twadmin domain, and
## allow the specified role the twadmin domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the twadmin domain.
##
##
##
##
## The type of the terminal allow the twadmin domain to use.
##
##
##
#
define(`tripwire_run_twadmin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_twadmin'($*)) dnl
gen_require(`
type twadmin_t;
')
tripwire_domtrans_twadmin($1)
role $2 types twadmin_t;
allow twadmin_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_twadmin'($*)) dnl
')
########################################
##
## Execute twprint in the twprint domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tripwire_domtrans_twprint',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twprint'($*)) dnl
gen_require(`
type twprint_t, twprint_exec_t;
')
domain_auto_trans($1,twprint_exec_t,twprint_t)
allow twprint_t $1:fd use;
allow twprint_t $1:fifo_file rw_file_perms;
allow twprint_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twprint'($*)) dnl
')
########################################
##
## Execute twprint in the twprint domain, and
## allow the specified role the twprint domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the twprint domain.
##
##
##
##
## The type of the terminal allow the twprint domain to use.
##
##
##
#
define(`tripwire_run_twprint',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_twprint'($*)) dnl
gen_require(`
type twprint_t;
')
tripwire_domtrans_twprint($1)
role $2 types twprint_t;
allow twprint_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_twprint'($*)) dnl
')
########################################
##
## Execute siggen in the siggen domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tripwire_domtrans_siggen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_siggen'($*)) dnl
gen_require(`
type siggen_t, siggen_exec_t;
')
domain_auto_trans($1,siggen_exec_t,siggen_t)
allow siggen_t $1:fd use;
allow siggen_t $1:fifo_file rw_file_perms;
allow siggen_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_siggen'($*)) dnl
')
########################################
##
## Execute siggen in the siggen domain, and
## allow the specified role the siggen domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the siggen domain.
##
##
##
##
## The type of the terminal allow the siggen domain to use.
##
##
##
#
define(`tripwire_run_siggen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_siggen'($*)) dnl
gen_require(`
type siggen_t;
')
tripwire_domtrans_siggen($1)
role $2 types siggen_t;
allow siggen_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_siggen'($*)) dnl
')
## Red Hat utility to change /etc/fstab.
########################################
##
## Execute updfstab in the updfstab domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`updfstab_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `updfstab_domtrans'($*)) dnl
gen_require(`
type updfstab_t, updfstab_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,updfstab_exec_t,updfstab_t)
allow $1 updfstab_t:fd use;
allow updfstab_t $1:fd use;
allow updfstab_t $1:fifo_file rw_file_perms;
allow updfstab_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `updfstab_domtrans'($*)) dnl
')
## List kernel modules of USB devices
########################################
##
## Execute usbmodules in the usbmodules domain.
##
##
##
## Domain allowed access.
##
##
#
define(`usbmodules_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usbmodules_domtrans'($*)) dnl
gen_require(`
type usbmodules_t, usbmodules_exec_t;
')
domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
allow $1 usbmodules_t:fd use;
allow usbmodules_t $1:fd use;
allow usbmodules_t $1:fifo_file rw_file_perms;
allow usbmodules_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usbmodules_domtrans'($*)) dnl
')
########################################
##
## Execute usbmodules in the usbmodules domain, and
## allow the specified role the usbmodules domain,
## and use the caller's terminal.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the usbmodules domain.
##
##
##
##
## The type of the terminal allow the usbmodules domain to use.
##
##
##
#
define(`usbmodules_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usbmodules_run'($*)) dnl
gen_require(`
type usbmodules_t;
')
usbmodules_domtrans($1)
role $2 types usbmodules_t;
allow usbmodules_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usbmodules_run'($*)) dnl
')
## Policy for managing user accounts.
########################################
##
## Execute chfn in the chfn domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`usermanage_domtrans_chfn',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_chfn'($*)) dnl
gen_require(`
type chfn_t, chfn_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,chfn_exec_t,chfn_t)
allow $1 chfn_t:fd use;
allow chfn_t $1:fd use;
allow chfn_t $1:fifo_file rw_file_perms;
allow chfn_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_chfn'($*)) dnl
')
########################################
##
## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the chfn domain.
##
##
##
##
## The type of the terminal allow the chfn domain to use.
##
##
#
define(`usermanage_run_chfn',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_chfn'($*)) dnl
gen_require(`
type chfn_t;
')
usermanage_domtrans_chfn($1)
role $2 types chfn_t;
allow chfn_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_chfn'($*)) dnl
')
########################################
##
## Execute groupadd in the groupadd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`usermanage_domtrans_groupadd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_groupadd'($*)) dnl
gen_require(`
type groupadd_t, groupadd_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
allow $1 groupadd_t:fd use;
allow groupadd_t $1:fd use;
allow groupadd_t $1:fifo_file rw_file_perms;
allow groupadd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_groupadd'($*)) dnl
')
########################################
##
## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the groupadd domain.
##
##
##
##
## The type of the terminal allow the groupadd domain to use.
##
##
##
#
define(`usermanage_run_groupadd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_groupadd'($*)) dnl
gen_require(`
type groupadd_t;
')
usermanage_domtrans_groupadd($1)
role $2 types groupadd_t;
allow groupadd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_groupadd'($*)) dnl
')
########################################
##
## Execute passwd in the passwd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`usermanage_domtrans_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_passwd'($*)) dnl
gen_require(`
type passwd_t, passwd_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,passwd_exec_t,passwd_t)
allow $1 passwd_t:fd use;
allow passwd_t $1:fd use;
allow passwd_t $1:fifo_file rw_file_perms;
allow passwd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_passwd'($*)) dnl
')
########################################
##
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the passwd domain.
##
##
##
##
## The type of the terminal allow the passwd domain to use.
##
##
#
define(`usermanage_run_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_passwd'($*)) dnl
gen_require(`
type passwd_t;
')
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
allow passwd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_passwd'($*)) dnl
')
########################################
##
## Execute password admin functions in
## the admin passwd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_domtrans_admin_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_admin_passwd'($*)) dnl
gen_require(`
type sysadm_passwd_t, admin_passwd_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
allow $1 sysadm_passwd_t:fd use;
allow sysadm_passwd_t $1:fd use;
allow sysadm_passwd_t $1:fifo_file rw_file_perms;
allow sysadm_passwd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_admin_passwd'($*)) dnl
')
########################################
##
## Execute passwd admin functions in the admin
## passwd domain, and allow the specified role
## the admin passwd domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the admin passwd domain.
##
##
##
##
## The type of the terminal allow the admin passwd domain to use.
##
##
##
#
define(`usermanage_run_admin_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_admin_passwd'($*)) dnl
gen_require(`
type sysadm_passwd_t;
')
usermanage_domtrans_admin_passwd($1)
role $2 types sysadm_passwd_t;
allow sysadm_passwd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_admin_passwd'($*)) dnl
')
########################################
##
## Execute useradd in the useradd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`usermanage_domtrans_useradd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_useradd'($*)) dnl
gen_require(`
type useradd_t, useradd_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
corecmd_search_sbin($1)
domain_auto_trans($1,useradd_exec_t,useradd_t)
allow $1 useradd_t:fd use;
allow useradd_t $1:fd use;
allow useradd_t $1:fifo_file rw_file_perms;
allow useradd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_useradd'($*)) dnl
')
########################################
##
## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the useradd domain.
##
##
##
##
## The type of the terminal allow the useradd domain to use.
##
##
##
#
define(`usermanage_run_useradd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_useradd'($*)) dnl
gen_require(`
type useradd_t;
')
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
allow useradd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_useradd'($*)) dnl
')
########################################
##
## Read the crack database.
##
##
##
## The type of the process performing this action.
##
##
#
define(`usermanage_read_crack_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usermanage_read_crack_db'($*)) dnl
gen_require(`
type crack_db_t;
')
allow $1 crack_db_t:dir search_dir_perms;
allow $1 crack_db_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usermanage_read_crack_db'($*)) dnl
')
## run real-mode video BIOS code to alter hardware state
########################################
##
## Execute vbetool application in the vbetool domain.
##
##
##
## N/A
##
##
#
define(`vbetool_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vbetool_domtrans'($*)) dnl
gen_require(`
type vbetool_t, vbetool_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,vbetool_exec_t,vbetool_t)
allow $1 vbetool_t:fd use;
allow vbetool_t $1:fd use;
allow vbetool_t $1:fifo_file rw_file_perms;
allow vbetool_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vbetool_domtrans'($*)) dnl
')
## Virtual Private Networking client
########################################
##
## Execute VPN clients in the vpnc domain.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpn_domtrans'($*)) dnl
gen_require(`
type vpnc_t, vpnc_exec_t;
')
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
allow $1 vpnc_t:fd use;
allow vpnc_t $1:fd use;
allow vpnc_t $1:fifo_file rw_file_perms;
allow vpnc_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpn_domtrans'($*)) dnl
')
########################################
##
## Execute VPN clients in the vpnc domain, and
## allow the specified role the vpnc domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the vpnc domain.
##
##
##
##
## The type of the terminal allow the vpnc domain to use.
##
##
##
#
define(`vpn_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpn_run'($*)) dnl
gen_require(`
type vpnc_t;
')
vpn_domtrans($1)
role $2 types vpnc_t;
allow vpnc_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpn_run'($*)) dnl
')
########################################
##
## Send generic signals to VPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpn_signal'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpn_signal'($*)) dnl
')
########################################
##
## Send signull to VPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpn_signull'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpn_signull'($*)) dnl
')
########################################
##
## Send sigkill to VPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpn_sigkill'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpn_sigkill'($*)) dnl
')
########################################
##
## Send and receive messages from
## Vpnc over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`vpnc_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vpnc_dbus_chat'($*)) dnl
gen_require(`
type vpnc_t;
class dbus send_msg;
')
allow $1 vpnc_t:dbus send_msg;
allow vpnc_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vpnc_dbus_chat'($*)) dnl
')
## GNAT Ada95 compiler
########################################
##
## Execute the ada program in the ada domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ada_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ada_domtrans'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type ada_t, ada_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, ada_exec_t, ada_t)
allow $1 ada_t:fd use;
allow ada_t $1:fd use;
allow ada_t $1:fifo_file rw_file_perms;
allow ada_t $1:process sigchld;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ada_domtrans'($*)) dnl
')
## Tool for non-root processes to bind to reserved ports
########################################
##
## Use authbind to bind to a reserved port.
##
##
##
## Domain allowed access.
##
##
#
define(`authbind_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `authbind_domtrans'($*)) dnl
gen_require(`
type authbind_t, authbind_exec_t;
')
domain_auto_trans($1,authbind_exec_t,authbind_t)
allow authbind_t $1:fd use;
allow authbind_t $1:fifo_file rw_file_perms;
allow authbind_t $1:process sigchld;
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `authbind_domtrans'($*)) dnl
')
## Squid log analysis
#######################################
##
## Allow domain to read calamaris www files.
##
##
##
## Domain allowed access.
##
##
#
define(`calamaris_read_www_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `calamaris_read_www_files'($*)) dnl
gen_require(`
type calamaris_www_t;
')
allow $1 calamaris_www_t:dir r_dir_perms;
allow $1 calamaris_www_t:file r_file_perms;
allow $1 calamaris_www_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `calamaris_read_www_files'($*)) dnl
')
## Policy for cdrecord
#######################################
##
## The per role template for the cdrecord module.
##
##
##
## This template creates derived domains which are used
## for cdrecord.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`cdrecord_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cdrecord_per_role_template'($*)) dnl
gen_require(`
type cdrecord_exec_t;
')
########################################
#
# Declarations
#
type $1_cdrecord_t;
domain_type($1_cdrecord_t)
domain_entry_file($1_cdrecord_t,cdrecord_exec_t)
role $3 types $1_cdrecord_t;
########################################
#
# Local policy
#
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
allow $1_cdrecord_t self:process { getsched setsched sigkill };
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
# allow ps to show cdrecord and allow the user to kill it
allow $2 $1_cdrecord_t:dir { search getattr read };
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
allow $2 $1_cdrecord_t:process getattr;
allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain.
domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
allow $2 $1_cdrecord_t:fd use;
allow $1_cdrecord_t $2:fd use;
allow $1_cdrecord_t $2:fifo_file rw_file_perms;
allow $1_cdrecord_t $2:process sigchld;
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)
domain_interactive_fd($1_cdrecord_t)
domain_use_interactive_fds($1_cdrecord_t)
files_read_etc_files($1_cdrecord_t)
term_use_controlling_term($1_cdrecord_t)
term_list_ptys($1_cdrecord_t)
# allow cdrecord to write the CD
storage_raw_write_removable_device($1_cdrecord_t)
storage_write_scsi_generic($1_cdrecord_t)
libs_use_ld_so($1_cdrecord_t)
libs_use_shared_libs($1_cdrecord_t)
logging_send_syslog_msg($1_cdrecord_t)
miscfiles_read_localization($1_cdrecord_t)
# write to the user domain tty.
userdom_use_user_terminals($1,$1_cdrecord_t)
userdom_use_user_terminals($1,$2)
userdom_read_user_home_content_files($1,$1_cdrecord_t)
# Handle nfs home dirs
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_cdrecord_t)
files_list_home($1_cdrecord_t)
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
',`
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
fs_dontaudit_read_nfs_files($1_cdrecord_t)
fs_dontaudit_list_nfs($1_cdrecord_t)
')
# Handle samba home dirs
tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
fs_list_auto_mountpoints($1_cdrecord_t)
files_list_home($1_cdrecord_t)
fs_read_cifs_files($1_cdrecord_t)
fs_read_cifs_symlinks($1_cdrecord_t)
',`
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
fs_dontaudit_read_cifs_files($1_cdrecord_t)
fs_dontaudit_list_cifs($1_cdrecord_t)
')
# Handle removable media, /tmp, and /home
tunable_policy(`cdrecord_read_content',`
userdom_list_user_tmp($1,$1_cdrecord_t)
userdom_read_user_tmp_files($1,$1_cdrecord_t)
userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
userdom_search_user_home_dirs($1,$1_cdrecord_t)
userdom_read_user_home_content_files($1,$1_cdrecord_t)
userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)
ifdef(`enable_mls',`
',`
fs_search_removable($1_cdrecord_t)
fs_read_removable_files($1_cdrecord_t)
fs_read_removable_symlinks($1_cdrecord_t)
')
',`
files_dontaudit_list_tmp($1_cdrecord_t)
files_dontaudit_list_home($1_cdrecord_t)
fs_dontaudit_list_removable($1_cdrecord_t)
fs_dontaudit_read_removable_files($1_cdrecord_t)
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)
')
# Handle default_t content
tunable_policy(`cdrecord_read_content && read_default_t',`
files_list_default($1_cdrecord_t)
files_read_default_files($1_cdrecord_t)
files_read_default_symlinks($1_cdrecord_t)
',`
files_dontaudit_read_default_files($1_cdrecord_t)
files_dontaudit_list_default($1_cdrecord_t)
')
# Handle untrusted content
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
files_list_tmp($1_cdrecord_t)
files_list_home($1_cdrecord_t)
userdom_search_user_home_dirs($1,$1_cdrecord_t)
userdom_list_user_untrusted_content($1,$1_cdrecord_t)
userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
userdom_read_user_untrusted_content_symlinks($1,$1_cdrecord_t)
userdom_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_cdrecord_t)
',`
files_dontaudit_list_tmp($1_cdrecord_t)
files_dontaudit_list_home($1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_cdrecord_t)
')
tunable_policy(`use_nfs_home_dirs',`
files_search_mnt($1_cdrecord_t)
fs_read_nfs_files($1_cdrecord_t)
fs_read_nfs_symlinks($1_cdrecord_t)
')
optional_policy(`
resmgr_stream_connect($1_cdrecord_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cdrecord_per_role_template'($*)) dnl
')
## Ethereal packet capture tool.
#######################################
##
## The per role template for the ethereal module.
##
##
##
## This template creates a derived domains which are used
## for ethereal packet capture tool.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`ethereal_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ethereal_per_role_template'($*)) dnl
##############################
#
# Declarations
#
# Type for program
type $1_ethereal_t;
domain_type($1_ethereal_t)
domain_entry_file($1_ethereal_t,ethereal_exec_t)
role $3 types $1_ethereal_t;
type $1_ethereal_home_t alias $1_ethereal_rw_t;
files_poly_member($1_ethereal_home_t)
userdom_user_home_content($1,$1_ethereal_home_t)
type $1_ethereal_tmp_t;
files_tmp_file($1_ethereal_tmp_t)
type $1_ethereal_tmpfs_t;
files_tmpfs_file($1_ethereal_tmpfs_t)
##############################
#
# Local Policy
#
allow $1_ethereal_t self:capability { net_admin net_raw setgid };
allow $1_ethereal_t self:process { signal getsched };
allow $1_ethereal_t self:fifo_file { getattr read write };
allow $1_ethereal_t self:shm destroy;
allow $1_ethereal_t self:shm create_shm_perms;
allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
allow $1_ethereal_t self:tcp_socket create_socket_perms;
allow $1_ethereal_t self:udp_socket create_socket_perms;
# Store temporary files
allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
# Re-execute itself (why?)
can_exec($1_ethereal_t, ethereal_exec_t)
corecmd_search_sbin($1_ethereal_t)
# /home/.ethereal
allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:process sigchld;
allow $2 $1_ethereal_home_t:dir manage_dir_perms;
allow $2 $1_ethereal_home_t:file manage_file_perms;
allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
kernel_read_kernel_sysctls($1_ethereal_t)
kernel_read_system_state($1_ethereal_t)
kernel_read_sysctl($1_ethereal_t)
corecmd_search_bin($1_ethereal_t)
corenet_tcp_connect_generic_port($1_ethereal_t)
corenet_tcp_sendrecv_generic_if($1_ethereal_t)
dev_read_urand($1_ethereal_t)
files_read_etc_files($1_ethereal_t)
files_read_usr_files($1_ethereal_t)
fs_list_inotifyfs($1_ethereal_t)
fs_search_auto_mountpoints($1_ethereal_t)
libs_read_lib_files($1_ethereal_t)
libs_use_ld_so($1_ethereal_t)
libs_use_shared_libs($1_ethereal_t)
miscfiles_read_fonts($1_ethereal_t)
miscfiles_read_localization($1_ethereal_t)
seutil_use_newrole_fds($1_ethereal_t)
sysnet_read_config($1_ethereal_t)
userdom_manage_user_home_content_files($1,$1_ethereal_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ethereal_t)
fs_manage_nfs_files($1_ethereal_t)
fs_manage_nfs_symlinks($1_ethereal_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_ethereal_t)
fs_manage_cifs_files($1_ethereal_t)
fs_manage_cifs_symlinks($1_ethereal_t)
')
optional_policy(`
nscd_socket_use($1_ethereal_t)
')
# Manual transition from userhelper
optional_policy(`
userhelper_use_user_fd($1,$1_ethereal_t)
userhelper_sigchld_user($1,$1_ethereal_t)
')
optional_policy(`
xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
ifdef(`TODO',`
# Why does it write this?
optional_policy(`
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
')
#TODO
gnome_application($1_ethereal, $1)
gnome_file_dialog($1_ethereal, $1)
# FIXME: policy is incomplete
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ethereal_per_role_template'($*)) dnl
')
#######################################
##
## The administrative functions template for the ethereal module.
##
##
##
## This template creates rules for administrating ethereal,
## allowing the specified user to manage ethereal files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
#
define(`ethereal_admin_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ethereal_admin_template'($*)) dnl
gen_require(`
type $1_ethereal_t;
')
# Create various types of sockets
allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
allow $1_ethereal_t self:udp_socket create_socket_perms;
allow $1_ethereal_t self:packet_socket create_socket_perms;
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
allow $1_ethereal_t self:tcp_socket create_socket_perms;
userdom_use_user_terminals($1,$1_ethereal_t)
# Ethereal tries to write to user terminal
userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ethereal_admin_template'($*)) dnl
')
########################################
##
## Run ethereal in ethereal domain.
##
##
##
## Run ethereal in ethereal domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`ethereal_domtrans_user_ethereal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ethereal_domtrans_user_ethereal'($*)) dnl
gen_require(`
type $1_ethereal_t, ethereal_exec_t;
')
domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
allow $2 $1_ethereal_t:fd use;
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:fifo_file rw_file_perms;
allow $1_ethereal_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ethereal_domtrans_user_ethereal'($*)) dnl
')
########################################
##
## Run tethereal in the tethereal domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ethereal_domtrans_tethereal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ethereal_domtrans_tethereal'($*)) dnl
gen_require(`
type tethereal_t, tethereal_exec_t;
')
domain_auto_trans($1,tethereal_exec_t,tethereal_t)
allow $1 tethereal_t:fd use;
allow tethereal_t $1:fd use;
allow tethereal_t $1:fifo_file rw_file_perms;
allow tethereal_t $1:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ethereal_domtrans_tethereal'($*)) dnl
')
########################################
##
## Execute tethereal in the tethereal domain, and
## allow the specified role the tethereal domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the tethereal domain.
##
##
##
##
## The type of the terminal allow the tethereal domain to use.
##
##
#
define(`ethereal_run_tethereal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ethereal_run_tethereal'($*)) dnl
gen_require(`
type tethereal_t;
')
ethereal_domtrans_tethereal($1)
role $2 types tethereal_t;
allow tethereal_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ethereal_run_tethereal'($*)) dnl
')
## Evolution email client
#######################################
##
## The per role template for the evolution module.
##
##
##
## This template creates a derived domains which are used
## for evolution email client and other related evolution applications such as webcal and alarm
## type is also created to protect the user evolution keys.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`evolution_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `evolution_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_evolution_t;
domain_type($1_evolution_t)
domain_entry_file($1_evolution_t,evolution_exec_t)
role $3 types $1_evolution_t;
type $1_evolution_tmpfs_t;
files_tmpfs_file($1_evolution_tmpfs_t)
type $1_evolution_home_t alias $1_evolution_rw_t;
files_poly_member($1_evolution_home_t)
userdom_user_home_content($1,$1_evolution_home_t)
type $1_evolution_orbit_tmp_t;
files_type($1_evolution_orbit_tmp_t)
type $1_evolution_alarm_t;
domain_type($1_evolution_alarm_t)
domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
type $1_evolution_alarm_tmpfs_t;
files_tmpfs_file($1_evolution_alarm_tmpfs_t)
type $1_evolution_alarm_orbit_tmp_t;
files_type($1_evolution_alarm_orbit_tmp_t)
type $1_evolution_exchange_t;
domain_type($1_evolution_exchange_t)
domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t)
role $3 types $1_evolution_exchange_t;
type $1_evolution_exchange_tmpfs_t;
files_tmpfs_file($1_evolution_exchange_tmpfs_t)
type $1_evolution_exchange_tmp_t;
files_tmp_file($1_evolution_exchange_tmp_t)
type $1_evolution_exchange_orbit_tmp_t;
files_type($1_evolution_exchange_orbit_tmp_t)
type $1_evolution_server_t;
domain_type($1_evolution_server_t)
domain_entry_file($1_evolution_server_t,evolution_server_exec_t)
role $3 types $1_evolution_server_t;
type $1_evolution_server_orbit_tmp_t;
files_type($1_evolution_server_orbit_tmp_t)
type $1_evolution_webcal_t;
domain_type($1_evolution_webcal_t)
domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t)
role $3 types $1_evolution_webcal_t;
type $1_evolution_webcal_tmpfs_t;
files_tmpfs_file($1_evolution_webcal_tmpfs_t)
type $1_orbit_tmp_t;
files_type($1_orbit_tmp_t)
########################################
#
# Evolution local policy
#
allow $1_evolution_t self:capability { setuid setgid sys_nice };
allow $1_evolution_t self:process { signal getsched setsched };
allow $1_evolution_t self:fifo_file rw_file_perms;
allow $1_evolution_t self:tcp_socket create_socket_perms;
allow $1_evolution_t self:udp_socket create_socket_perms;
allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
allow $1_evolution_t $1_evolution_alarm_t:file read;
allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_alarm_exec_t)
allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file })
allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
allow $1_evolution_t $1_evolution_server_t:file read;
allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
can_exec($1_evolution_t,evolution_server_exec_t)
allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_t $2:dir search;
allow $1_evolution_t $2:fd use;
allow $1_evolution_t $2:file read;
allow $1_evolution_t $2:lnk_file read;
allow $1_evolution_t $2:process sigchld;
allow $1_evolution_t $2:unix_stream_socket connectto;
allow $1_evolution_t $2:dir search;
allow $1_evolution_t $2:file read;
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_t:process noatsecure;
allow $2 $1_evolution_t:process signal_perms;
# Access .evolution
allow $2 $1_evolution_home_t:dir manage_dir_perms;
allow $2 $1_evolution_home_t:file manage_file_perms;
allow $2 $1_evolution_home_t:lnk_file create_lnk_perms;
allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
userdom_search_user_home_dirs($1,$1_evolution_t)
# Allow the user domain to signal/ps.
allow $2 $1_evolution_t:dir { search getattr read };
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
allow $2 $1_evolution_t:process getattr;
domain_dontaudit_read_all_domains_state($1_evolution_t)
#FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t)
kernel_read_system_state($1_evolution_t)
# Allow netstat
kernel_read_network_state($1_evolution_t)
kernel_read_net_sysctls($1_evolution_t)
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
corecmd_exec_sbin($1_evolution_t)
corenet_non_ipsec_sendrecv($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
corenet_raw_sendrecv_generic_if($1_evolution_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_t)
corenet_udp_sendrecv_all_nodes($1_evolution_t)
corenet_tcp_sendrecv_pop_port($1_evolution_t)
corenet_udp_sendrecv_pop_port($1_evolution_t)
corenet_tcp_sendrecv_smtp_port($1_evolution_t)
corenet_udp_sendrecv_smtp_port($1_evolution_t)
corenet_tcp_sendrecv_innd_port($1_evolution_t)
corenet_udp_sendrecv_innd_port($1_evolution_t)
corenet_tcp_sendrecv_ldap_port($1_evolution_t)
corenet_udp_sendrecv_ldap_port($1_evolution_t)
corenet_tcp_sendrecv_ipp_port($1_evolution_t)
corenet_udp_sendrecv_ipp_port($1_evolution_t)
corenet_tcp_connect_pop_port($1_evolution_t)
corenet_tcp_connect_smtp_port($1_evolution_t)
corenet_tcp_connect_innd_port($1_evolution_t)
corenet_tcp_connect_ldap_port($1_evolution_t)
corenet_tcp_connect_ipp_port($1_evolution_t)
corenet_sendrecv_pop_client_packets($1_evolution_t)
corenet_sendrecv_smtp_client_packets($1_evolution_t)
corenet_sendrecv_innd_client_packets($1_evolution_t)
corenet_sendrecv_ldap_client_packets($1_evolution_t)
corenet_sendrecv_ipp_client_packets($1_evolution_t)
# not sure about this bind
corenet_udp_bind_all_nodes($1_evolution_t)
corenet_udp_bind_generic_port($1_evolution_t)
dev_read_urand($1_evolution_t)
dev_read_rand($1_evolution_t)
files_read_etc_files($1_evolution_t)
files_read_usr_files($1_evolution_t)
files_read_usr_symlinks($1_evolution_t)
files_read_var_files($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
libs_use_ld_so($1_evolution_t)
libs_use_shared_libs($1_evolution_t)
logging_send_syslog_msg($1_evolution_t)
miscfiles_read_localization($1_evolution_t)
sysnet_read_config($1_evolution_t)
sysnet_dns_name_resolve($1_evolution_t)
udev_read_state($1_evolution_t)
userdom_rw_user_tmp_files($1,$1_evolution_t)
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
userdom_manage_user_tmp_files($1,$1_evolution_t)
userdom_use_user_terminals($1, $1_evolution_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
mta_read_config($1_evolution_t)
xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
xserver_read_xdm_tmp_files($1_evolution_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
fs_manage_nfs_symlinks($1_evolution_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
fs_manage_cifs_symlinks($1_evolution_t)
')
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_evolution_t)
files_list_home($1_evolution_t)
fs_read_nfs_files($1_evolution_t)
fs_read_nfs_symlinks($1_evolution_t)
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_read_nfs_files($1_evolution_t)
fs_dontaudit_list_nfs($1_evolution_t)
')
tunable_policy(`mail_read_content && use_samba_home_dirs',`
fs_list_auto_mountpoints($1_evolution_t)
files_list_home($1_evolution_t)
fs_read_cifs_files($1_evolution_t)
fs_read_cifs_symlinks($1_evolution_t)
',`
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_read_cifs_files($1_evolution_t)
fs_dontaudit_list_cifs($1_evolution_t)
')
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1,$1_evolution_t)
userdom_read_user_tmp_files($1,$1_evolution_t)
userdom_read_user_tmp_symlinks($1,$1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_read_user_home_content_files($1,$1_evolution_t)
userdom_read_user_home_content_symlinks($1,$1_evolution_t)
ifndef(`enable_mls',`
fs_search_removable($1_evolution_t)
fs_read_removable_files($1_evolution_t)
fs_read_removable_symlinks($1_evolution_t)
')
',`
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
fs_dontaudit_list_removable($1_evolution_t)
fs_dontaudit_read_removable_files($1_evolution_t)
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
')
tunable_policy(`mail_read_content && read_default_t',`
files_list_default($1_evolution_t)
files_read_default_files($1_evolution_t)
files_read_default_symlinks($1_evolution_t)
',`
files_dontaudit_read_default_files($1_evolution_t)
files_dontaudit_list_default($1_evolution_t)
')
tunable_policy(`mail_read_content && read_untrusted_content',`
files_list_tmp($1_evolution_t)
files_list_home($1_evolution_t)
userdom_search_user_home_dirs($1,$1_evolution_t)
userdom_list_user_untrusted_content($1,$1_evolution_t)
userdom_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_untrusted_content_symlinks($1,$1_evolution_t)
userdom_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_evolution_t)
',`
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_evolution_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_evolution_t)
')
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_nfs_dirs($1_evolution_t)
fs_manage_nfs_files($1_evolution_t)
fs_manage_nfs_symlinks($1_evolution_t)
',`
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_manage_nfs_dirs($1_evolution_t)
fs_dontaudit_manage_nfs_files($1_evolution_t)
')
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_evolution_t)
fs_search_auto_mountpoints($1_evolution_t)
fs_manage_cifs_dirs($1_evolution_t)
fs_manage_cifs_files($1_evolution_t)
fs_manage_cifs_symlinks($1_evolution_t)
',`
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
fs_dontaudit_manage_cifs_dirs($1_evolution_t)
fs_dontaudit_manage_cifs_files($1_evolution_t)
')
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file })
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
')
optional_policy(`
automount_read_state($1_evolution_t)
')
# Allow printing the mail
optional_policy(`
cups_read_rw_config($1_evolution_t)
')
optional_policy(`
dbus_system_bus_client_template($1_evolution,$1_evolution_t)
dbus_send_system_bus($1_evolution_t)
dbus_user_bus_client_template($1,$1_evolution,$1_evolution_t)
dbus_send_user_bus($1,$1_evolution_t)
')
# Encrypt mail
optional_policy(`
gpg_domtrans_user_gpg($1,$1_evolution_t)
gpg_signal_user_gpg($1,$1_evolution_t)
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_evolution_t)
')
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
optional_policy(`
nis_use_ypbind($1_evolution_t)
')
optional_policy(`
nscd_socket_use($1_evolution_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_t)
')
### Junk mail filtering (start spamd)
optional_policy(`
spamassassin_exec_spamd($1_evolution_t)
spamassassin_domtrans_user_client($1,$1_evolution_t)
spamassassin_domtrans_user_local_client($1,$1_evolution_t)
# Allow evolution to signal the daemon
# FIXME: Now evolution can read spamd temp files
spamassassin_read_spamd_tmp_files($1_evolution_t)
spamassassin_signal_spamd($1_evolution_t)
spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
')
ifdef(`TODO',`
#dbus connect to
allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto;
# Gnome common stuff
gnome_application($1_evolution, $1)
#TODO gnome stuff
# Store passwords in .gnome2_private
# Type for storing secret data
# (different from home, not directly accessible from ROLE_t)
type $1_evolutioin_secret_t;
userdom_user_home_content($1,$1_evolutioin_secret_t)
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
allow $2 $1_evolution_secret_t:file unlink;
ifdef(`TODO',`
gnome_file_dialog($1_evolution, $1)
')
# Start links in web browser
ifdef(`mozilla', `
corecmd_exec_shell($1_evolution_t)
domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
')
')
########################################
#
# Evolution alarm local policy
#
allow $1_evolution_alarm_t self:fifo_file rw_file_perms;
allow $1_evolution_alarm_t self:process getsched;
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
allow $1_evolution_alarm_t $2:fd use;
dev_read_urand($1_evolution_alarm_t)
libs_use_ld_so($1_evolution_alarm_t)
libs_use_shared_libs($1_evolution_alarm_t)
files_read_etc_files($1_evolution_alarm_t)
files_read_usr_files($1_evolution_alarm_t)
fs_search_auto_mountpoints($1_evolution_alarm_t)
miscfiles_read_localization($1_evolution_alarm_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_alarm_t)
xserver_user_client_template($1,$1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_alarm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_alarm_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
')
optional_policy(`
nscd_socket_use($1_evolution_alarm_t)
')
optional_policy(`
dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t)
dbus_send_user_bus($1,$1_evolution_alarm_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_alarm,$1)
')
########################################
#
# Evolution exchange connector local policy
#
allow $1_evolution_exchange_t self:fifo_file { read write };
allow $1_evolution_exchange_t self:process getsched;
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
dev_read_urand($1_evolution_exchange_t)
libs_use_ld_so($1_evolution_exchange_t)
libs_use_shared_libs($1_evolution_exchange_t)
files_read_etc_files($1_evolution_exchange_t)
files_read_usr_files($1_evolution_exchange_t)
miscfiles_read_localization($1_evolution_exchange_t)
# /tmp/.exchange-$USER
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
#FIXME, who should own this. I dont think this module should
allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
# Clock applet talks to exchange (FIXME: Needs policy)
allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Transition from user domain
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
kernel_read_network_state($1_evolution_exchange_t)
kernel_read_net_sysctls($1_evolution_exchange_t)
# Allow netstat
corecmd_exec_bin($1_evolution_exchange_t)
# Access evolution home
fs_search_auto_mountpoints($1_evolution_exchange_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_exchange_t)
xserver_user_client_template($1,$1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t)
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_exchange_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
optional_policy(`
nscd_socket_use($1_evolution_exchange_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_exchange, $1)
')
########################################
#
# Evolution data server local policy
#
allow $1_evolution_server_t self:process { getsched signal };
allow $1_evolution_server_t self:fifo_file { read write };
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
# Talk to ldap (address book),
# Obtain weather data via http (read server name from xml file in /usr)
allow $1_evolution_server_t self:tcp_socket create_socket_perms;
allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
allow $1_evolution_server_t $2:fd use;
dev_read_urand($1_evolution_server_t)
libs_use_ld_so($1_evolution_server_t)
libs_use_shared_libs($1_evolution_server_t)
miscfiles_read_localization($1_evolution_server_t)
kernel_read_system_state($1_evolution_server_t)
corecmd_exec_shell($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
corenet_non_ipsec_sendrecv($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
corenet_tcp_connect_http_cache_port($1_evolution_server_t)
corenet_tcp_connect_http_port($1_evolution_server_t)
corenet_sendrecv_http_client_packets($1_evolution_server_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
files_read_etc_files($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
files_read_usr_files($1_evolution_server_t)
fs_search_auto_mountpoints($1_evolution_server_t)
libs_use_ld_so($1_evolution_server_t)
libs_use_shared_libs($1_evolution_server_t)
# Look in /etc/pki
miscfiles_read_certs($1_evolution_server_t)
# Talk to ldap (address book)
sysnet_read_config($1_evolution_server_t)
sysnet_dns_name_resolve($1_evolution_server_t)
sysnet_use_ldap($1_evolution_server_t)
# Access evolution home
userdom_search_user_home_dirs($1,$1_evolution_server_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
# Transition from user type
tunable_policy(`!disable_evolution_trans',`
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
')
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_server_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_server_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
')
optional_policy(`
nscd_socket_use($1_evolution_server_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_server, $1)
')
########################################
#
# Evolution webcal local policy
#
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
# X/evolution common stuff
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms;
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
corenet_tcp_connect_http_port($1_evolution_webcal_t)
corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
# Networking capability - connect to website and handle ics link
sysnet_read_config($1_evolution_webcal_t)
sysnet_dns_name_resolve($1_evolution_webcal_t)
# Search home directory (?)
userdom_search_user_home_dirs($1,$1_evolution_webcal_t)
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_webcal_t)
xserver_user_client_template($1,$1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t)
optional_policy(`
nscd_socket_use($1_evolution_webcal_t)
')
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_webcal, $1)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `evolution_per_role_template'($*)) dnl
')
########################################
##
## Create objects in users evolution home folders.
##
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The object class of the object being created. If
## no class is specified, dir will be used.
##
##
#
define(`evolution_home_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `evolution_home_filetrans'($*)) dnl
gen_require(`
type $1_evolution_home_t;
')
allow $2 $1_evolution_home_t:dir rw_dir_perms;
type_transition $2 $1_evolution_home_t:$4 $3;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `evolution_home_filetrans'($*)) dnl
')
########################################
##
## Connect to user evolution unix stream socket.
##
##
##
## Connect to user evolution unix stream socket.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `evolution_stream_connect'($*)) dnl
gen_require(`
type $1_evolution_t, $1_evolution_home_t;
')
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_home_t:dir search;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `evolution_stream_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## evolution over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `evolution_dbus_chat'($*)) dnl
gen_require(`
type $1_evolution_t;
class dbus send_msg;
')
allow $2 $1_evolution_t:dbus send_msg;
allow $1_evolution_t $2:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `evolution_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## evolution_alarm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_alarm_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `evolution_alarm_dbus_chat'($*)) dnl
gen_require(`
type $1_evolution_alarm_t;
class dbus send_msg;
')
allow $2 $1_evolution_alarm_t:dbus send_msg;
allow $1_evolution_alarm_t $2:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `evolution_alarm_dbus_chat'($*)) dnl
')
## Games
#######################################
##
## The per role template for the games module.
##
##
##
## This template creates a derived domains which are used
## for games.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`games_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `games_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_games_t;
domain_type($1_games_t)
domain_entry_file($1_games_t,games_exec_t)
role $3 types $1_games_t;
type $1_games_devpts_t;
term_pty($1_games_devpts_t)
type $1_games_tmpfs_t;
files_tmpfs_file($1_games_tmpfs_t)
type $1_games_tmp_t;
files_tmp_file($1_games_tmp_t)
########################################
#
# Local policy
#
allow $1_games_t self:sem create_sem_perms;
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
allow $1_games_t $1_games_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_games_t,$1_games_devpts_t)
allow $1_games_t games_data_t:dir rw_dir_perms;
allow $1_games_t games_data_t:file manage_file_perms;
allow $1_games_t games_data_t:lnk_file create_lnk_perms;
can_exec($1_games_t, games_exec_t)
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
kernel_read_system_state($1_games_t)
corecmd_exec_bin($1_games_t)
corecmd_exec_sbin($1_games_t)
corenet_non_ipsec_sendrecv($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
corenet_tcp_sendrecv_all_nodes($1_games_t)
corenet_udp_sendrecv_all_nodes($1_games_t)
corenet_tcp_sendrecv_all_ports($1_games_t)
corenet_udp_sendrecv_all_ports($1_games_t)
corenet_tcp_bind_all_nodes($1_games_t)
corenet_tcp_bind_generic_port($1_games_t)
corenet_tcp_connect_generic_port($1_games_t)
corenet_sendrecv_generic_client_packets($1_games_t)
corenet_sendrecv_generic_server_packets($1_games_t)
dev_read_sound($1_games_t)
dev_write_sound($1_games_t)
dev_read_input($1_games_t)
dev_read_mouse($1_games_t)
dev_read_urand($1_games_t)
files_list_var($1_games_t)
files_search_var_lib($1_games_t)
files_dontaudit_search_var($1_games_t)
files_read_etc_files($1_games_t)
files_read_usr_files($1_games_t)
files_read_var_files($1_games_t)
init_dontaudit_rw_utmp($1_games_t)
logging_dontaudit_search_logs($1_games_t)
libs_use_shared_libs($1_games_t)
libs_use_ld_so($1_games_t)
miscfiles_read_man_pages($1_games_t)
miscfiles_read_localization($1_games_t)
sysnet_read_config($1_games_t)
userdom_manage_user_tmp_dirs($1,$1_games_t)
userdom_manage_user_tmp_files($1,$1_games_t)
userdom_manage_user_tmp_symlinks($1,$1_games_t)
userdom_manage_user_tmp_sockets($1,$1_games_t)
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
# Type transition
tunable_policy(`!disable_games_trans',`
domain_auto_trans($2, games_exec_t, $1_games_t)
')
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')
optional_policy(`
nscd_socket_use($1_games_t)
')
optional_policy(`
xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
')
ifdef(`TODO',`
gnome_application($1_games, $1)
gnome_file_dialog($1_games, $1)
# Access /home/user/.gnome2
# FIXME: Change to use per app types
allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
optional_policy(`
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `games_per_role_template'($*)) dnl
')
## giFT peer to peer file sharing tool
#######################################
##
## The per role template for the gift module.
##
##
##
## This template creates a derived domains which are used
## for gift client sessions and gift daemons.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`gift_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gift_per_role_template'($*)) dnl
##############################
#
# Declarations
#
type $1_gift_t;
domain_type($1_gift_t)
domain_entry_file($1_gift_t,gift_exec_t)
role $3 types $1_gift_t;
type $1_gift_home_t alias $1_gift_rw_t;
files_poly_member($1_gift_home_t)
userdom_user_home_content($1,$1_gift_home_t)
type $1_gift_tmpfs_t;
files_tmpfs_file($1_gift_tmpfs_t)
type $1_giftd_t;
domain_type($1_giftd_t)
domain_entry_file($1_giftd_t,giftd_exec_t)
role $3 types $1_giftd_t;
##############################
#
# giFT user interface local policy
#
allow $1_gift_t self:tcp_socket create_socket_perms;
allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
allow $1_gift_t $1_gift_home_t:file manage_file_perms;
allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
# Launch gift daemon
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
allow $1_giftd_t $1_gift_t:fd use;
allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
allow $1_giftd_t $1_gift_t:process sigchld;
# transition from user domain
domain_auto_trans($2, gift_exec_t, $1_gift_t)
allow $1_gift_t $2:fd use;
allow $1_gift_t $2:fifo_file rw_file_perms;
allow $1_gift_t $2:process sigchld;
# user managed content
allow $2 $1_gift_home_t:dir manage_dir_perms;
allow $2 $1_gift_home_t:file manage_file_perms;
allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# Allow the user domain to signal/ps.
allow $2 $1_gift_t:dir { search getattr read };
allow $2 $1_gift_t:{ file lnk_file } { read getattr };
allow $2 $1_gift_t:process { getattr signal_perms };
# Read /proc/meminfo
kernel_read_system_state($1_giftd_t)
# Connect to gift daemon
corenet_non_ipsec_sendrecv($1_gift_t)
corenet_tcp_sendrecv_generic_if($1_gift_t)
corenet_tcp_sendrecv_all_nodes($1_gift_t)
corenet_tcp_sendrecv_giftd_port($1_gift_t)
corenet_tcp_connect_giftd_port($1_gift_t)
corenet_sendrecv_giftd_client_packets($1_gift_t)
fs_search_auto_mountpoints($1_gift_t)
sysnet_read_config($1_gift_t)
# giftui looks in .icons, .themes.
userdom_dontaudit_read_user_home_content_files($1,$1_gift_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gift_t)
fs_manage_nfs_files($1_gift_t)
fs_manage_nfs_symlinks($1_gift_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_gift_t)
fs_manage_cifs_files($1_gift_t)
fs_manage_cifs_symlinks($1_gift_t)
')
# optional_policy(`
# gnome_user_application($1,$1_gift,$1_gift_t)
# ')
optional_policy(`
nscd_socket_use($1_gift_t)
')
optional_policy(`
xserver_user_client_template($1,$1_gift_t,$1_gift_tmpfs_t)
')
##############################
#
# giFT server local policy
#
allow $1_giftd_t self:process { signal setsched };
allow $1_giftd_t self:unix_stream_socket create_socket_perms;
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
allow $1_giftd_t self:udp_socket create_socket_perms;
allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
allow $1_giftd_t $2:fd use;
allow $1_giftd_t $2:fifo_file rw_file_perms;
allow $1_giftd_t $2:process sigchld;
kernel_read_system_state($1_giftd_t)
kernel_read_kernel_sysctls($1_giftd_t)
# Serve content on various p2p networks. Ports can be random.
corenet_non_ipsec_sendrecv($1_giftd_t)
corenet_tcp_sendrecv_generic_if($1_giftd_t)
corenet_udp_sendrecv_generic_if($1_giftd_t)
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
corenet_udp_sendrecv_all_nodes($1_giftd_t)
corenet_tcp_sendrecv_all_ports($1_giftd_t)
corenet_udp_sendrecv_all_ports($1_giftd_t)
corenet_tcp_bind_all_nodes($1_giftd_t)
corenet_udp_bind_all_nodes($1_giftd_t)
corenet_tcp_bind_all_ports($1_giftd_t)
corenet_udp_bind_all_ports($1_giftd_t)
corenet_tcp_connect_all_ports($1_giftd_t)
corenet_sendrecv_all_client_packets($1_giftd_t)
files_read_usr_files($1_giftd_t)
# Read /etc/mtab
files_read_etc_runtime_files($1_giftd_t)
libs_use_ld_so($1_giftd_t)
libs_use_shared_libs($1_giftd_t)
miscfiles_read_localization($1_giftd_t)
sysnet_read_config($1_giftd_t)
userdom_use_user_terminals($1,$1_giftd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_giftd_t)
fs_manage_nfs_files($1_giftd_t)
fs_manage_nfs_symlinks($1_giftd_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_giftd_t)
fs_manage_cifs_files($1_giftd_t)
fs_manage_cifs_symlinks($1_giftd_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gift_per_role_template'($*)) dnl
')
## GNU network object model environment (GNOME)
########################################
##
## The per role template for the gnome module.
##
##
##
## This template creates a derived domain which is used
## for gconf sessions.
##
##
## This template is invoked automatically for each role, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`gnome_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_per_role_template'($*)) dnl
##############################
#
# Declarations
#
type $1_gnome_home_t;
userdom_user_home_type($1_gnome_home_t)
userdom_user_home_content($1, $1_gnome_home_t)
manage_dirs_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
manage_files_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_per_role_template'($*)) dnl
')
########################################
##
## The per role template for the gnome gconf module.
##
##
##
## This template creates a derived domain which is used
## for gconf sessions.
##
##
## This template is invoked automatically for each role, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`gnome_gconf_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_gconf_per_role_template'($*)) dnl
gen_require(`
type gconfd_exec_t;
attribute gnomedomain;
')
##############################
#
# Declarations
#
type $1_gconfd_t, gnomedomain;
application_domain($1_gconfd_t, gconfd_exec_t)
role $3 types $1_gconfd_t;
type $1_gconf_home_t;
userdom_user_home_content($1, $1_gconf_home_t)
type $1_gconf_tmp_t;
files_tmp_file($1_gconf_tmp_t)
##############################
#
# Local Policy
#
allow $1_gconfd_t self:process getsched;
allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
allow $1_gconfd_t $2:fd use;
allow $1_gconfd_t $2:fifo_file write;
allow $1_gconfd_t $2:unix_stream_socket connectto;
ps_process_pattern($2,$1_gconfd_t)
dev_read_urand($1_gconfd_t)
files_read_etc_files($1_gconfd_t)
libs_use_ld_so($1_gconfd_t)
libs_use_shared_libs($1_gconfd_t)
miscfiles_read_localization($1_gconfd_t)
logging_send_syslog_msg($1_gconfd_t)
userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
userdom_manage_user_tmp_dirs($1,$1_gconfd_t)
userdom_tmp_filetrans_user_tmp($1,$1_gconfd_t,dir)
gnome_stream_connect_gconf_template($1,$2)
optional_policy(`
mozilla_stream_connect_template($1,$1_gconfd_t)
')
optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t)
nscd_socket_use($1_gconfd_t)
')
optional_policy(`
xserver_use_xdm_fds($1_gconfd_t)
xserver_rw_xdm_pipes($1_gconfd_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_gconf_per_role_template'($*)) dnl
')
########################################
##
## gconf connection template.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
#
define(`gnome_stream_connect_gconf_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gconf_template'($*)) dnl
gen_require(`
type $1_gconfd_t;
type $1_gconf_tmp_t;
')
read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t)
allow $2 $1_gconfd_t:unix_stream_socket connectto;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gconf_template'($*)) dnl
')
########################################
##
## Send general signals to all gconf domains.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_signal_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_signal_all'($*)) dnl
gen_require(`
attribute gnomedomain;
')
allow $1 gnomedomain:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_signal_all'($*)) dnl
')
########################################
##
## Run gconfd in the role-specific gconfd domain.
##
##
##
## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_domtrans_user_gconf',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_domtrans_user_gconf'($*)) dnl
gen_require(`
type $1_gconfd_t, gconfd_exec_t;
')
domtrans_pattern($2,gconfd_exec_t,$1_gconfd_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_domtrans_user_gconf'($*)) dnl
')
########################################
##
## read gnome homedir content (.config)
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
#
define(`gnome_read_user_gnome_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_user_gnome_config'($*)) dnl
gen_require(`
type $1_gnome_home_t;
')
read_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_user_gnome_config'($*)) dnl
')
########################################
##
## manage gnome homedir content (.config)
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
#
define(`gnome_manage_user_gnome_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_user_gnome_config'($*)) dnl
gen_require(`
type $1_gnome_home_t;
')
manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_user_gnome_config'($*)) dnl
')
########################################
##
## Execute gconf programs in
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_exec_gconf',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_gconf'($*)) dnl
gen_require(`
type gconfd_exec_t;
')
can_exec($1, gconfd_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_gconf'($*)) dnl
')
## Policy for GNU Privacy Guard and related programs.
#######################################
##
## The per role template for the gpg module.
##
##
##
## This template creates the types and rules for GPG,
## GPG-agent, and GPG helper programs. This protects
## the user keys and secrets, and runs the programs
## in domains specific to the user type.
##
##
## This is invoked automatically for each user and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The user domain.
##
##
##
##
## The role associated with the user.
##
##
#
define(`gpg_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpg_per_role_template'($*)) dnl
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
type gpg_agent_exec_t, pinentry_exec_t;
')
########################################
#
# Declarations
#
type $1_gpg_t;
domain_type($1_gpg_t)
domain_entry_file($1_gpg_t,gpg_exec_t)
role $3 types $1_gpg_t;
type $1_gpg_agent_t;
domain_type($1_gpg_agent_t)
domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
role $3 types $1_gpg_agent_t;
type $1_gpg_agent_tmp_t;
files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t;
userdom_user_home_content($1,$1_gpg_secret_t)
type $1_gpg_helper_t;
domain_type($1_gpg_helper_t)
domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t)
role $3 types $1_gpg_helper_t;
type $1_gpg_pinentry_t;
domain_type($1_gpg_pinentry_t)
domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t)
role $3 types $1_gpg_pinentry_t;
########################################
#
# GPG local policy
#
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap setpgid };
allow $1_gpg_t self:fifo_file rw_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
# transition from the userdomain to the derived domain
domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
allow $1_gpg_t $2:fd use;
allow $1_gpg_t $2:fifo_file rw_file_perms;
allow $1_gpg_t $2:process sigchld;
# allow ps to show gpg
allow $2 $1_gpg_t:dir { search getattr read };
allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
allow $2 $1_gpg_t:process getattr;
corenet_non_ipsec_sendrecv($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
corenet_udp_sendrecv_all_nodes($1_gpg_t)
corenet_tcp_sendrecv_all_ports($1_gpg_t)
corenet_udp_sendrecv_all_ports($1_gpg_t)
corenet_tcp_connect_all_ports($1_gpg_t)
corenet_sendrecv_all_client_packets($1_gpg_t)
dev_read_rand($1_gpg_t)
dev_read_urand($1_gpg_t)
fs_getattr_xattr_fs($1_gpg_t)
domain_use_interactive_fds($1_gpg_t)
files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
files_dontaudit_search_var($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
miscfiles_read_localization($1_gpg_t)
logging_send_syslog_msg($1_gpg_t)
sysnet_read_config($1_gpg_t)
userdom_use_user_terminals($1,$1_gpg_t)
optional_policy(`
nis_use_ypbind($1_gpg_t)
')
ifdef(`TODO',`
# Read content to encrypt/decrypt/sign
read_content($1_gpg_t, $1)
# Write content to encrypt/decrypt/sign
write_trusted($1_gpg_t, $1)
') dnl end TODO
########################################
#
# GPG helper local policy
#
# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
# communicate with the user
allow $1_gpg_helper_t $2:fd use;
allow $1_gpg_helper_t $2:fifo_file write;
# transition from the gpg domain to the helper domain
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
allow $1_gpg_helper_t $1_gpg_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
corenet_non_ipsec_sendrecv($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
dev_read_urand($1_gpg_helper_t)
files_read_etc_files($1_gpg_helper_t)
# for nscd
files_dontaudit_search_var($1_gpg_helper_t)
libs_use_ld_so($1_gpg_helper_t)
libs_use_shared_libs($1_gpg_helper_t)
sysnet_read_config($1_gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
')
optional_policy(`
xserver_use_xdm_fds($1_gpg_t)
xserver_rw_xdm_pipes($1_gpg_t)
')
########################################
#
# GPG agent local policy
#
# rlimit: gpg-agent wants to prevent coredumps
allow $1_gpg_agent_t self:process setrlimit;
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
# allow gpg to connect to the gpg agent
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
# allow ps to show gpg-agent
allow $2 $1_gpg_agent_t:dir { search getattr read };
allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
allow $2 $1_gpg_agent_t:process getattr;
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill };
allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
allow $1_gpg_agent_t $2:fd use;
allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
allow $1_gpg_agent_t $2:process sigchld;
corecmd_search_bin($1_gpg_agent_t)
domain_use_interactive_fds($1_gpg_agent_t)
libs_use_ld_so($1_gpg_agent_t)
libs_use_shared_libs($1_gpg_agent_t)
miscfiles_read_localization($1_gpg_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs($1,$1_gpg_agent_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_agent_t)
fs_manage_nfs_files($1_gpg_agent_t)
fs_manage_nfs_symlinks($1_gpg_agent_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_gpg_agent_t)
fs_manage_cifs_files($1_gpg_agent_t)
fs_manage_cifs_symlinks($1_gpg_agent_t)
')
##############################
#
# Pinentry local policy
#
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
files_read_usr_files($1_gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files($1_gpg_pinentry_t)
libs_use_ld_so($1_gpg_pinentry_t)
libs_use_shared_libs($1_gpg_pinentry_t)
miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_gpg_pinentry_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files($1_gpg_pinentry_t)
')
optional_policy(`
xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
')
ifdef(`TODO',`
allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
# wants to put some lock files into the user home dir, seems to work fine without
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
tunable_policy(`use_nfs_home_dirs',`
dontaudit $1_gpg_pinentry_t nfs_t:dir write;
dontaudit $1_gpg_pinentry_t nfs_t:file write;
')
tunable_policy(`use_samba_home_dirs',`
dontaudit $1_gpg_pinentry_t cifs_t:dir write;
dontaudit $1_gpg_pinentry_t cifs_t:file write;
')
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
') dnl end TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpg_per_role_template'($*)) dnl
')
########################################
##
## Transition to a user gpg domain.
##
##
##
## Transition to a user gpg domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_domtrans_user_gpg',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpg_domtrans_user_gpg'($*)) dnl
gen_require(`
type $1_gpg_t, gpg_exec_t;
')
domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
allow $2 $1_gpg_t:fd use;
allow $1_gpg_t $2:fd use;
allow $1_gpg_t $2:fifo_file rw_file_perms;
allow $1_gpg_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpg_domtrans_user_gpg'($*)) dnl
')
########################################
##
## Send generic signals to user gpg processes.
##
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_signal_user_gpg',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpg_signal_user_gpg'($*)) dnl
gen_require(`
type $1_gpg_t;
')
allow $2 $1_gpg_t:process signal;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpg_signal_user_gpg'($*)) dnl
')
## IRC client policy
#######################################
##
## The per role template for the irc module.
##
##
##
## This template creates a derived domains which are used
## for an irc client sessions.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`irc_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `irc_per_role_template'($*)) dnl
gen_require(`
type irc_exec_t;
')
########################################
#
# Declarations
#
type $1_irc_t;
domain_type($1_irc_t)
domain_entry_file($1_irc_t,irc_exec_t)
role $3 types $1_irc_t;
type $1_irc_exec_t;
userdom_user_home_content($1,$1_irc_exec_t)
domain_entry_file($1_irc_t,$1_irc_exec_t)
type $1_irc_home_t;
userdom_user_home_content($1,$1_irc_home_t)
type $1_irc_tmp_t;
userdom_user_home_content($1,$1_irc_tmp_t)
########################################
#
# Local policy
#
allow $1_irc_t self:dir search;
allow $1_irc_t self:lnk_file read;
allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
allow $1_irc_t $1_irc_home_t:file create_file_perms;
allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t)
allow $2 $1_irc_t:fd use;
allow $1_irc_t $2:fd use;
allow $1_irc_t $2:fifo_file rw_file_perms;
allow $1_irc_t $2:process sigchld;
allow $2 $1_irc_t:process signal;
allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
# allow ps to show irc
allow $2 $1_irc_t:dir { search getattr read };
allow $2 $1_irc_t:{ file lnk_file } { read getattr };
allow $2 $1_irc_t:process getattr;
kernel_read_proc_symlinks($1_irc_t)
corenet_non_ipsec_sendrecv($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
corenet_udp_sendrecv_all_nodes($1_irc_t)
corenet_tcp_sendrecv_all_ports($1_irc_t)
corenet_udp_sendrecv_all_ports($1_irc_t)
corenet_sendrecv_ircd_client_packets($1_irc_t)
# cjp: this seems excessive:
corenet_tcp_connect_all_ports($1_irc_t)
corenet_sendrecv_all_client_packets($1_irc_t)
domain_use_interactive_fds($1_irc_t)
files_dontaudit_search_pids($1_irc_t)
files_search_var($1_irc_t)
files_read_etc_files($1_irc_t)
files_read_usr_files($1_irc_t)
fs_getattr_xattr_fs($1_irc_t)
fs_search_auto_mountpoints($1_irc_t)
term_use_controlling_term($1_irc_t)
term_list_ptys($1_irc_t)
# allow utmp access
init_read_utmp($1_irc_t)
init_dontaudit_lock_utmp($1_irc_t)
libs_use_ld_so($1_irc_t)
libs_use_shared_libs($1_irc_t)
miscfiles_read_localization($1_irc_t)
# Inherit and use descriptors from newrole.
seutil_use_newrole_fds($1_irc_t)
sysnet_read_config($1_irc_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_irc_t)
fs_manage_nfs_files($1_irc_t)
fs_manage_nfs_symlinks($1_irc_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_irc_t)
fs_manage_cifs_files($1_irc_t)
fs_manage_cifs_symlinks($1_irc_t)
')
optional_policy(`
nis_use_ypbind($1_irc_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `irc_per_role_template'($*)) dnl
')
## Java virtual machine
#######################################
##
## The per role template for the java module.
##
##
##
## This template creates a derived domains which are used
## for java plugins that are executed by a browser.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`java_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `java_per_role_template'($*)) dnl
gen_require(`
type java_exec_t;
')
########################################
#
# Declarations
#
type $1_javaplugin_t;
domain_type($1_javaplugin_t)
domain_entry_file($1_javaplugin_t,java_exec_t)
role $3 types $1_javaplugin_t;
type $1_javaplugin_tmp_t;
files_tmp_file($1_javaplugin_tmp_t)
type $1_javaplugin_tmpfs_t;
files_tmpfs_file($1_javaplugin_tmpfs_t)
########################################
#
# Local policy
#
allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# cjp: rw_dir_perms here doesnt make sense
allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
allow $1_javaplugin_t $1_home_t:file rw_file_perms;
allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
can_exec($1_javaplugin_t, java_exec_t)
# The user role is authorized for this domain.
domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
allow $1_javaplugin_t $2:process signull;
kernel_read_all_sysctls($1_javaplugin_t)
kernel_search_vm_sysctl($1_javaplugin_t)
kernel_read_network_state($1_javaplugin_t)
kernel_read_system_state($1_javaplugin_t)
# Search bin directory under javaplugin for javaplugin executable
corecmd_search_bin($1_javaplugin_t)
corenet_non_ipsec_sendrecv($1_javaplugin_t)
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
corenet_udp_sendrecv_all_ports($1_javaplugin_t)
corenet_tcp_connect_all_ports($1_javaplugin_t)
corenet_sendrecv_all_client_packets($1_javaplugin_t)
dev_read_sound($1_javaplugin_t)
dev_write_sound($1_javaplugin_t)
dev_read_urand($1_javaplugin_t)
dev_read_rand($1_javaplugin_t)
files_read_etc_files($1_javaplugin_t)
files_read_usr_files($1_javaplugin_t)
files_search_home($1_javaplugin_t)
files_search_var_lib($1_javaplugin_t)
files_read_etc_runtime_files($1_javaplugin_t)
# Read global fonts and font config
files_read_etc_files($1_javaplugin_t)
fs_getattr_xattr_fs($1_javaplugin_t)
fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
libs_use_ld_so($1_javaplugin_t)
libs_use_shared_libs($1_javaplugin_t)
logging_send_syslog_msg($1_javaplugin_t)
miscfiles_read_localization($1_javaplugin_t)
# Read global fonts and font config
miscfiles_read_fonts($1_javaplugin_t)
sysnet_read_config($1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
tunable_policy(`allow_java_execstack',`
allow $1_javaplugin_t self:process execstack;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
libs_legacy_use_shared_libs($1_javaplugin_t)
libs_legacy_use_ld_so($1_javaplugin_t)
libs_use_lib_files($1_javaplugin_t)
miscfiles_legacy_read_localization($1_javaplugin_t)
')
optional_policy(`
nis_use_ypbind($1_javaplugin_t)
')
optional_policy(`
nscd_socket_use($1_javaplugin_t)
')
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `java_per_role_template'($*)) dnl
')
########################################
##
## Execute the java program in the java domain.
##
##
##
## Domain allowed access.
##
##
#
define(`java_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `java_domtrans'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type java_t, java_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, java_exec_t, java_t)
allow $1 java_t:fd use;
allow java_t $1:fd use;
allow java_t $1:fifo_file rw_file_perms;
allow java_t $1:process sigchld;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `java_domtrans'($*)) dnl
')
########################################
##
## Execute a java in the specified domain
##
##
##
## Execute the java command in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`java_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `java_spec_domtrans'($*)) dnl
gen_require(`
type java_exec_t;
')
domain_trans($1,java_exec_t,$2)
type_transition $1 java_exec_t:process $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `java_spec_domtrans'($*)) dnl
')
########################################
##
## Run java in javaplugin domain.
##
##
##
## Run java in javaplugin domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`java_domtrans_user_javaplugin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `java_domtrans_user_javaplugin'($*)) dnl
gen_require(`
type $1_javaplugin_t, java_exec_t;
')
domain_auto_trans($2,java_exec_t,$1_javaplugin_t)
allow $2 $1_javaplugin_t:fd use;
allow $1_javaplugin_t $2:fd use;
allow $1_javaplugin_t $2:fifo_file rw_file_perms;
allow $1_javaplugin_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `java_domtrans_user_javaplugin'($*)) dnl
')
########################################
##
## Execute the java program in the java domain.
##
##
##
## Domain allowed access.
##
##
#
define(`java_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `java_exec'($*)) dnl
gen_require(`
type java_exec_t;
')
ca_exec($1, java_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `java_exec'($*)) dnl
')
## Load keyboard mappings.
########################################
##
## Execute the loadkeys program in the loadkeys domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`loadkeys_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_domtrans'($*)) dnl
gen_require(`
type loadkeys_t, loadkeys_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
allow $1 loadkeys_t:fd use;
allow loadkeys_t $1:fd use;
allow loadkeys_t $1:fifo_file rw_file_perms;
allow loadkeys_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_domtrans'($*)) dnl
')
########################################
##
## Execute the loadkeys program in the loadkeys domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the loadkeys domain.
##
##
##
##
## The type of the terminal allow the loadkeys domain to use.
##
##
##
#
define(`loadkeys_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_run'($*)) dnl
gen_require(`
type loadkeys_t;
')
loadkeys_domtrans($1)
role $2 types loadkeys_t;
allow loadkeys_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_run'($*)) dnl
')
########################################
##
## Execute the loadkeys program in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`loadkeys_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_exec'($*)) dnl
ifdef(`targeted_policy',`
# $0(): the loadkeys program is an alias
# of generic bin programs.
corecmd_exec_bin($1)
',`
gen_require(`
type loadkeys_exec_t;
')
can_exec($1,loadkeys_exec_t)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_exec'($*)) dnl
')
## device locking policy for lockdev
#######################################
##
## The per role template for the lockdev module.
##
##
##
## This template creates derived domains which are used
## for lockdev. A derived type is also created to protect
## the user's device locks.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`lockdev_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lockdev_per_role_template'($*)) dnl
gen_require(`
type lockdev_exec_t;
')
########################################
#
# Declarations
#
type $1_lockdev_t;
domain_type($1_lockdev_t)
domain_entry_file($1_lockdev_t,lockdev_exec_t)
role $3 types $1_lockdev_t;
type $1_lockdev_lock_t;
files_lock_file($1_lockdev_lock_t)
########################################
#
# Local policy
#
# Use capabilities.
allow $1_lockdev_t self:capability setgid;
allow $1_lockdev_t $2:process signull;
# Transition from the user domain to the derived domain.
domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
allow $2 $1_lockdev_t:fd use;
allow $1_lockdev_t $2:fd use;
allow $1_lockdev_t $2:fifo_file rw_file_perms;
allow $1_lockdev_t $2:process sigchld;
allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
files_read_all_locks($1_lockdev_t)
fs_getattr_xattr_fs($1_lockdev_t)
libs_use_ld_so($1_lockdev_t)
libs_use_shared_libs($1_lockdev_t)
logging_send_syslog_msg($1_lockdev_t)
userdom_use_user_terminals($1, $1_lockdev_t)
optional_policy(`
logging_send_syslog_msg($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lockdev_per_role_template'($*)) dnl
')
## Run .NET server and client applications on Linux.
########################################
##
## Execute the mono program in the mono domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mono_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mono_domtrans'($*)) dnl
gen_require(`
type mono_t, mono_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, mono_exec_t, mono_t)
allow $1 mono_t:fd use;
allow mono_t $1:fd use;
allow mono_t $1:fifo_file rw_file_perms;
allow mono_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mono_domtrans'($*)) dnl
')
## Policy for Mozilla and related web browsers
#######################################
##
## The per role template for the mozilla module.
##
##
##
## This template creates a derived domains which are used
## for mozilla web browser.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`mozilla_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mozilla_per_role_template'($*)) dnl
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
')
########################################
#
# Declarations
#
type $1_mozilla_t;
domain_type($1_mozilla_t)
domain_entry_file($1_mozilla_t,mozilla_exec_t)
role $3 types $1_mozilla_t;
type $1_mozilla_home_t alias $1_mozilla_rw_t;
files_poly_member($1_mozilla_home_t)
userdom_user_home_content($1,$1_mozilla_home_t)
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
########################################
#
# Local policy
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file rw_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow $1_mozilla_t self:tcp_socket create_socket_perms;
allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
# X access, Home files
allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
fs_search_auto_mountpoints($1_mozilla_t)
# Mozpluggerrc
allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
allow $1_mozilla_t $2:fd use;
allow $1_mozilla_t $2:process sigchld;
allow $1_mozilla_t $2:unix_stream_socket connectto;
allow $2 $1_mozilla_t:fd use;
allow $2 $1_mozilla_t:shm { associate getattr };
allow $2 $1_mozilla_t:shm { unix_read unix_write };
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
allow $2 $1_mozilla_home_t:dir manage_dir_perms;
allow $2 $1_mozilla_home_t:file manage_file_perms;
allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
userdom_search_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_list_user_files($1, $1_mozilla_t)
allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $2:process signull;
# Allow the user domain to signal/ps.
allow $2 $1_mozilla_t:dir { search getattr read };
allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
allow $2 $1_mozilla_t:process getattr;
allow $2 $1_mozilla_t:process signal_perms;
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
kernel_read_system_state($1_mozilla_t)
kernel_read_net_sysctls($1_mozilla_t)
corecmd_search_sbin($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
# for bash - old mozilla binary
corecmd_exec_shell($1_mozilla_t)
corecmd_exec_bin($1_mozilla_t)
# Browse the web, connect to printer
corenet_non_ipsec_sendrecv($1_mozilla_t)
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
corenet_raw_sendrecv_generic_if($1_mozilla_t)
corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
corenet_raw_sendrecv_all_nodes($1_mozilla_t)
corenet_tcp_sendrecv_http_port($1_mozilla_t)
corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
corenet_tcp_connect_http_port($1_mozilla_t)
corenet_tcp_connect_http_cache_port($1_mozilla_t)
corenet_tcp_connect_ftp_port($1_mozilla_t)
corenet_tcp_connect_ipp_port($1_mozilla_t)
corenet_tcp_connect_generic_port($1_mozilla_t)
corenet_sendrecv_http_client_packets($1_mozilla_t)
corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
corenet_sendrecv_ipp_client_packets($1_mozilla_t)
corenet_sendrecv_generic_client_packets($1_mozilla_t)
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
dev_read_urand($1_mozilla_t)
dev_read_rand($1_mozilla_t)
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
dev_getattr_sysfs_dirs($1_mozilla_t)
files_read_etc_runtime_files($1_mozilla_t)
files_read_usr_files($1_mozilla_t)
files_read_etc_files($1_mozilla_t)
# /var/lib
files_read_var_lib_files($1_mozilla_t)
# interacting with gstreamer
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
libs_use_lib_files($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
logging_send_syslog_msg($1_mozilla_t)
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_manage_user_home_content_files($1,$1_mozilla_t)
userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
userdom_manage_user_tmp_files($1,$1_mozilla_t)
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_tmp_sock($1_mozilla_t)
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_mozilla_t)
fs_manage_nfs_files($1_mozilla_t)
fs_manage_nfs_symlinks($1_mozilla_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_mozilla_t)
fs_manage_cifs_files($1_mozilla_t)
fs_manage_cifs_symlinks($1_mozilla_t)
')
# Type transition
tunable_policy(`! disable_mozilla_trans',`
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
')
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mozilla_t)
files_list_home($1_mozilla_t)
fs_read_nfs_files($1_mozilla_t)
fs_read_nfs_symlinks($1_mozilla_t)
',`
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
fs_dontaudit_read_nfs_files($1_mozilla_t)
fs_dontaudit_list_nfs($1_mozilla_t)
')
tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
fs_list_auto_mountpoints($1_mozilla_t)
files_list_home($1_mozilla_t)
fs_read_cifs_files($1_mozilla_t)
fs_read_cifs_symlinks($1_mozilla_t)
',`
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
fs_dontaudit_read_cifs_files($1_mozilla_t)
fs_dontaudit_list_cifs($1_mozilla_t)
')
tunable_policy(`mozilla_read_content',`
userdom_list_user_tmp($1,$1_mozilla_t)
userdom_read_user_tmp_files($1,$1_mozilla_t)
userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
userdom_read_user_home_content_files($1,$1_mozilla_t)
userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
ifdef(`enable_mls',`',`
fs_search_removable($1_mozilla_t)
fs_read_removable_files($1_mozilla_t)
fs_read_removable_symlinks($1_mozilla_t)
')
',`
files_dontaudit_list_tmp($1_mozilla_t)
files_dontaudit_list_home($1_mozilla_t)
fs_dontaudit_list_removable($1_mozilla_t)
fs_dontaudit_read_removable_files($1_mozilla_t)
userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
')
tunable_policy(`mozilla_read_content && read_default_t',`
files_list_default($1_mozilla_t)
files_read_default_files($1_mozilla_t)
files_read_default_symlinks($1_mozilla_t)
',`
files_dontaudit_read_default_files($1_mozilla_t)
files_dontaudit_list_default($1_mozilla_t)
')
tunable_policy(`mozilla_read_content && read_untrusted_content',`
files_list_tmp($1_mozilla_t)
files_list_home($1_mozilla_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
userdom_list_user_untrusted_content($1,$1_mozilla_t)
userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
',`
files_dontaudit_list_tmp($1_mozilla_t)
files_dontaudit_list_home($1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
')
# Save web pages
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_manage_nfs_dirs($1_mozilla_t)
fs_manage_nfs_files($1_mozilla_t)
fs_manage_nfs_symlinks($1_mozilla_t)
',`
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
fs_dontaudit_manage_nfs_files($1_mozilla_t)
')
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_manage_cifs_dirs($1_mozilla_t)
fs_manage_cifs_files($1_mozilla_t)
fs_manage_cifs_symlinks($1_mozilla_t)
',`
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
fs_dontaudit_manage_cifs_files($1_mozilla_t)
')
tunable_policy(`write_untrusted_content',`
files_search_home($1_mozilla_t)
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file)
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir)
',`
files_dontaudit_list_home($1_mozilla_t)
files_dontaudit_list_tmp($1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
optional_policy(`
ssh_dontaudit_use_user_ssh_agent_fds($1,$1_mozilla_t)
')
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
')
optional_policy(`
cups_read_rw_config($1_mozilla_t)
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
dbus_send_user_bus($1,$1_mozilla_t)
ifdef(`TODO',`
optional_policy(`
allow cupsd_t $1_mozilla_t:dbus send_msg;
')
')
')
optional_policy(`
nscd_socket_use($1_mozilla_t)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_mozilla_t)
')
######### Launch mplayer
optional_policy(`
mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
mplayer_read_user_home_files($1, $1_mozilla_t)
')
optional_policy(`
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
optional_policy(`
java_domtrans_user_javaplugin($1, $1_mozilla_t)
')
ifdef(`TODO',`
#NOTE commented out in strict.
######### Launch email client, and make webcal links work
#ifdef(`evolution.te', `
#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
#')
# Macros for mozilla/mozilla (or other browser) domains.
# FIXME: Rules were removed to centralize policy in a gnome_app macro
# A similar thing might be necessary for mozilla compiled without GNOME
# support (is this possible?).
# GNOME integration
optional_policy(`
gnome_application($1_mozilla, $1)
gnome_file_dialog($1_mozilla, $1)
')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mozilla_per_role_template'($*)) dnl
')
########################################
##
## Read mozilla per user homedir
##
##
##
## Read mozilla per user homedir
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_read_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mozilla_read_user_home_files'($*)) dnl
gen_require(`
type $1_mozilla_home_t;
')
allow $2 $1_mozilla_home_t:dir list_dir_perms;
allow $2 $1_mozilla_home_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mozilla_read_user_home_files'($*)) dnl
')
########################################
##
## write mozilla per user homedir
##
##
##
## Read mozilla per user homedir
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_write_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mozilla_write_user_home_files'($*)) dnl
gen_require(`
type $1_mozilla_home_t;
')
allow $2 $1_mozilla_home_t:dir list_dir_perms;
allow $2 $1_mozilla_home_t:file write;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mozilla_write_user_home_files'($*)) dnl
')
########################################
##
## Run mozilla in user mozilla domain.
##
##
##
## Run mozilla in mozilla domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_domtrans_user_mozilla',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_user_mozilla'($*)) dnl
gen_require(`
type $1_mozilla_t, mozilla_exec_t;
')
domain_auto_trans($2,mozilla_exec_t,$1_mozilla_t)
allow $2 $1_mozilla_t:fd use;
allow $1_mozilla_t $2:fd use;
allow $1_mozilla_t $2:fifo_file rw_file_perms;
allow $1_mozilla_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mozilla_domtrans_user_mozilla'($*)) dnl
')
########################################
##
## read/write mozilla per user tcp_socket
##
##
##
## read/write mozilla per user tcp_socket
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_rw_user_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mozilla_rw_user_tcp_sockets'($*)) dnl
gen_require(`
type $1_mozilla_t;
')
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mozilla_rw_user_tcp_sockets'($*)) dnl
')
## Mplayer media player and encoder
#######################################
##
## The per role template for the mplayer module.
##
##
##
## This template creates a derived domains which are used
## for mplayer media player.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`mplayer_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mplayer_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_mencoder_t;
domain_type($1_mencoder_t)
domain_entry_file($1_mencoder_t,mencoder_exec_t)
role $3 types $1_mencoder_t;
type $1_mplayer_t;
domain_type($1_mplayer_t)
domain_entry_file($1_mplayer_t,mplayer_exec_t)
role $3 types $1_mplayer_t;
type $1_mplayer_home_t alias $1_mplayer_rw_t;
files_poly_member($1_mplayer_home_t)
userdom_user_home_content($1,$1_mplayer_home_t)
type $1_mplayer_tmpfs_t;
files_tmpfs_file($1_mplayer_tmpfs_t)
########################################
#
# mencoder local policy
#
allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
# Read global config
allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
# domain transition
domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
allow $2 $1_mencoder_t:fd use;
allow $1_mencoder_t $2:fd use;
allow $1_mencoder_t $2:fifo_file rw_file_perms;
allow $1_mencoder_t $2:process sigchld;
# Allow the user domain to signal/ps.
allow $2 $1_mencoder_t:dir { search getattr read };
allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
allow $2 $1_mencoder_t:process getattr;
allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories
# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
kernel_read_system_state($1_mencoder_t)
# Sysctl on kernel version
kernel_read_kernel_sysctls($1_mencoder_t)
# Required for win32 binary loader
dev_rwx_zero($1_mencoder_t)
# Access to DVD/CD/V4L
dev_read_video_dev($1_mencoder_t)
# Read data in /usr/share (fonts, icons..)
files_read_usr_files($1_mencoder_t)
files_read_usr_symlinks($1_mencoder_t)
fs_search_auto_mountpoints($1_mencoder_t)
# Access to DVD/CD/V4L
storage_raw_read_removable_device($1_mencoder_t)
libs_use_ld_so($1_mencoder_t)
libs_use_shared_libs($1_mencoder_t)
miscfiles_read_localization($1_mencoder_t)
userdom_use_user_terminals($1,$1_mencoder_t)
# Handle removable media, /tmp, and /home
userdom_list_user_tmp($1,$1_mencoder_t)
userdom_read_user_tmp_files($1,$1_mencoder_t)
userdom_read_user_tmp_symlinks($1,$1_mencoder_t)
userdom_read_user_home_content_files($1,$1_mencoder_t)
userdom_read_user_home_content_symlinks($1,$1_mencoder_t)
# Read content to encode
ifdef(`enable_mls',`',`
fs_search_removable($1_mencoder_t)
fs_read_removable_files($1_mencoder_t)
fs_read_removable_symlinks($1_mencoder_t)
')
tunable_policy(`allow_execmem',`
allow $1_mencoder_t self:process execmem;
')
tunable_policy(`allow_execmod',`
dev_execmod_zero($1_mencoder_t)
')
tunable_policy(`allow_mplayer_execstack',`
allow $1_mencoder_t self:process { execmem execstack };
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_mencoder_t)
fs_manage_nfs_files($1_mencoder_t)
fs_manage_nfs_symlinks($1_mencoder_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_mencoder_t)
fs_manage_cifs_files($1_mencoder_t)
fs_manage_cifs_symlinks($1_mencoder_t)
')
# Read content to encode
tunable_policy(`use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mencoder_t)
files_list_home($1_mencoder_t)
fs_read_nfs_files($1_mencoder_t)
fs_read_nfs_symlinks($1_mencoder_t)
',`
files_dontaudit_list_home($1_mencoder_t)
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
fs_dontaudit_read_nfs_files($1_mencoder_t)
fs_dontaudit_list_nfs($1_mencoder_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_auto_mountpoints($1_mencoder_t)
files_list_home($1_mencoder_t)
fs_read_cifs_files($1_mencoder_t)
fs_read_cifs_symlinks($1_mencoder_t)
',`
files_dontaudit_list_home($1_mencoder_t)
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
fs_dontaudit_read_cifs_files($1_mencoder_t)
fs_dontaudit_list_cifs($1_mencoder_t)
')
tunable_policy(`read_default_t',`
files_list_default($1_mencoder_t)
files_read_default_files($1_mencoder_t)
files_read_default_symlinks($1_mencoder_t)
',`
files_dontaudit_read_default_files($1_mencoder_t)
files_dontaudit_list_default($1_mencoder_t)
')
tunable_policy(`write_untrusted_content',`
userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
')
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mencoder_t)
files_list_home($1_mencoder_t)
userdom_list_user_untrusted_content($1,$1_mencoder_t)
userdom_read_user_untrusted_content_files($1,$1_mencoder_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mencoder_t)
userdom_list_user_tmp_untrusted_content($1,$1_mencoder_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mencoder_t)
',`
files_dontaudit_list_tmp($1_mencoder_t)
files_dontaudit_list_home($1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mencoder_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mencoder_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mencoder_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
')
# Save encoded files
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_mencoder_t)
fs_search_auto_mountpoints($1_mencoder_t)
fs_manage_nfs_dirs($1_mencoder_t)
fs_manage_nfs_files($1_mencoder_t)
fs_manage_nfs_symlinks($1_mencoder_t)
',`
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
fs_dontaudit_manage_nfs_dirs($1_mencoder_t)
fs_dontaudit_manage_nfs_files($1_mencoder_t)
')
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_mencoder_t)
fs_search_auto_mountpoints($1_mencoder_t)
fs_manage_cifs_dirs($1_mencoder_t)
fs_manage_cifs_files($1_mencoder_t)
fs_manage_cifs_symlinks($1_mencoder_t)
',`
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
fs_dontaudit_manage_cifs_dirs($1_mencoder_t)
fs_dontaudit_manage_cifs_files($1_mencoder_t)
')
tunable_policy(`write_untrusted_content',`
files_search_home($1_mencoder_t)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
',`
files_dontaudit_list_home($1_mencoder_t)
files_dontaudit_list_tmp($1_mencoder_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mencoder_t)
userdom_dontaudit_manage_user_tmp_files($1,$1_mencoder_t)
userdom_dontaudit_manage_user_home_content_dirs($1,$1_mencoder_t)
')
########################################
#
# mplayer local policy
#
allow $1_mplayer_t self:process { signal_perms getsched };
allow $1_mplayer_t self:fifo_file rw_file_perms;
allow $1_mplayer_t self:sem create_sem_perms;
allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
userdom_search_user_home_dirs($1,$1_mplayer_t)
allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read global config
allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
# Home access
allow $2 $1_mplayer_home_t:dir manage_dir_perms;
allow $2 $1_mplayer_home_t:file manage_file_perms;
allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# domain transition
domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
allow $2 $1_mplayer_t:fd use;
allow $1_mplayer_t $2:fd use;
allow $1_mplayer_t $2:fifo_file rw_file_perms;
allow $1_mplayer_t $2:process sigchld;
# Allow the user domain to signal/ps.
allow $2 $1_mplayer_t:dir { search getattr read };
allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
allow $2 $1_mplayer_t:process getattr;
allow $2 $1_mplayer_t:process signal_perms;
kernel_dontaudit_list_unlabeled($1_mplayer_t)
kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t)
kernel_dontaudit_read_unlabeled_files($1_mplayer_t)
# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
kernel_read_system_state($1_mplayer_t)
# Sysctl on kernel version
kernel_read_kernel_sysctls($1_mplayer_t)
# Run bash/sed (??)
corecmd_exec_bin($1_mplayer_t)
corecmd_exec_shell($1_mplayer_t)
# Required for win32 binary loader
dev_rwx_zero($1_mplayer_t)
# Access to DVD/CD/V4L
dev_read_video_dev($1_mplayer_t)
# Audio, alsa.conf
dev_read_sound_mixer($1_mplayer_t)
dev_write_sound_mixer($1_mplayer_t)
# RTC clock
dev_read_realtime_clock($1_mplayer_t)
# Access to DVD/CD/V4L
storage_raw_read_removable_device($1_mplayer_t)
files_read_etc_files($1_mplayer_t)
files_dontaudit_list_non_security($1_mplayer_t)
files_dontaudit_getattr_non_security_files($1_mplayer_t)
files_read_non_security_files($1_mplayer_t)
# Unfortunately the ancient file dialog starts in /
files_list_home($1_mplayer_t)
# Read /etc/mtab
files_read_etc_runtime_files($1_mplayer_t)
# Read data in /usr/share (fonts, icons..)
files_read_usr_files($1_mplayer_t)
files_read_usr_symlinks($1_mplayer_t)
fs_dontaudit_getattr_all_fs($1_mplayer_t)
fs_search_auto_mountpoints($1_mplayer_t)
fs_list_inotifyfs($1_mplayer_t)
libs_use_ld_so($1_mplayer_t)
libs_use_shared_libs($1_mplayer_t)
miscfiles_read_localization($1_mplayer_t)
miscfiles_read_fonts($1_mplayer_t)
userdom_use_user_terminals($1,$1_mplayer_t)
# Read media files
userdom_list_user_tmp($1,$1_mplayer_t)
userdom_read_user_tmp_files($1,$1_mplayer_t)
userdom_read_user_tmp_symlinks($1,$1_mplayer_t)
userdom_read_user_home_content_files($1,$1_mplayer_t)
userdom_read_user_home_content_symlinks($1,$1_mplayer_t)
xserver_user_client_template($1,$1_mplayer_t,$1_mplayer_tmpfs_t)
# Read songs
ifdef(`enable_mls',`',`
fs_search_removable($1_mplayer_t)
fs_read_removable_files($1_mplayer_t)
fs_read_removable_symlinks($1_mplayer_t)
')
tunable_policy(`allow_execmem',`
allow $1_mplayer_t self:process execmem;
')
tunable_policy(`allow_execmod',`
dev_execmod_zero($1_mplayer_t)
')
tunable_policy(`allow_mplayer_execstack',`
allow $1_mplayer_t self:process { execmem execstack };
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_mplayer_t)
fs_manage_nfs_files($1_mplayer_t)
fs_manage_nfs_symlinks($1_mplayer_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_mplayer_t)
fs_manage_cifs_files($1_mplayer_t)
fs_manage_cifs_symlinks($1_mplayer_t)
')
# Legacy domain issues
tunable_policy(`allow_mplayer_execstack',`
allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
')
# Read songs
tunable_policy(`use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mplayer_t)
files_list_home($1_mplayer_t)
fs_read_nfs_files($1_mplayer_t)
fs_read_nfs_symlinks($1_mplayer_t)
',`
files_dontaudit_list_home($1_mplayer_t)
fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
fs_dontaudit_read_nfs_files($1_mplayer_t)
fs_dontaudit_list_nfs($1_mplayer_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_auto_mountpoints($1_mplayer_t)
files_list_home($1_mplayer_t)
fs_read_cifs_files($1_mplayer_t)
fs_read_cifs_symlinks($1_mplayer_t)
',`
files_dontaudit_list_home($1_mplayer_t)
fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
fs_dontaudit_read_cifs_files($1_mplayer_t)
fs_dontaudit_list_cifs($1_mplayer_t)
')
tunable_policy(`read_default_t',`
files_list_default($1_mplayer_t)
files_read_default_files($1_mplayer_t)
files_read_default_symlinks($1_mplayer_t)
',`
files_dontaudit_read_default_files($1_mplayer_t)
files_dontaudit_list_default($1_mplayer_t)
')
tunable_policy(`read_untrusted_content',`
files_list_tmp($1_mplayer_t)
files_list_home($1_mplayer_t)
userdom_list_user_untrusted_content($1,$1_mplayer_t)
userdom_read_user_untrusted_content_files($1,$1_mplayer_t)
userdom_read_user_untrusted_content_symlinks($1,$1_mplayer_t)
userdom_list_user_tmp_untrusted_content($1,$1_mplayer_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mplayer_t)
',`
files_dontaudit_list_tmp($1_mplayer_t)
files_dontaudit_list_home($1_mplayer_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mplayer_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_mplayer_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_mplayer_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mplayer_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mplayer_t)
')
optional_policy(`
mozilla_write_user_home_files($1, $1_mplayer_t)
mozilla_rw_user_tcp_sockets($1, $1_mplayer_t)
')
optional_policy(`
alsa_read_rw_config($1_mplayer_t)
')
optional_policy(`
nscd_socket_use($1_mplayer_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mplayer_per_role_template'($*)) dnl
')
########################################
##
## Run mplayer in mplayer domain.
##
##
##
## Run mplayer in mplayer domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mplayer_domtrans_user_mplayer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mplayer_domtrans_user_mplayer'($*)) dnl
gen_require(`
type $1_mplayer_t, mplayer_exec_t;
')
domain_auto_trans($2,mplayer_exec_t,$1_mplayer_t)
allow $2 $1_mplayer_t:fd use;
allow $1_mplayer_t $2:fd use;
allow $1_mplayer_t $2:fifo_file rw_file_perms;
allow $1_mplayer_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mplayer_domtrans_user_mplayer'($*)) dnl
')
########################################
##
## Read mplayer per user homedir
##
##
##
## Read mplayer per user homedir
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`mplayer_read_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mplayer_read_user_home_files'($*)) dnl
gen_require(`
type $1_mplayer_home_t;
')
allow $2 $1_mplayer_home_t:dir search_dir_perms;
allow $2 $1_mplayer_home_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mplayer_read_user_home_files'($*)) dnl
')
## QEMU machine emulator and virtualizer
########################################
##
## Execute a domain transition to run qemu.
##
##
##
## Domain allowed to transition.
##
##
#
define(`qemu_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_domtrans'($*)) dnl
gen_require(`
type qemu_t, qemu_exec_t;
')
domtrans_pattern($1, qemu_exec_t, qemu_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_domtrans'($*)) dnl
')
########################################
##
## Execute qemu in the qemu domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the qemu domain.
##
##
##
##
## The type of the terminal allow the qemu domain to use.
##
##
#
define(`qemu_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_run'($*)) dnl
gen_require(`
type qemu_t;
')
qemu_domtrans($1)
role $2 types qemu_t;
allow qemu_t $3:chr_file rw_file_perms;
optional_policy(`
samba_run_smb(qemu_t, $2, $3)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_run'($*)) dnl
')
#######################################
##
## The per role template for the qemu module.
##
##
##
## This template creates a derived domains which are used
## for qemu web browser.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`qemu_per_role_template_notrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_per_role_template_notrans'($*)) dnl
gen_require(`
type qemu_t;
')
role $3 types qemu_t;
xserver_common_app($1, qemu_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_per_role_template_notrans'($*)) dnl
')
#######################################
##
## The per role template for the qemu module.
##
##
##
## This template creates a derived domains which are used
## for qemu web browser.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`qemu_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_per_role_template'($*)) dnl
gen_require(`
type qemu_exec_t;
')
qemu_per_role_template_notrans($1, $2, $3)
domtrans_pattern($2, qemu_exec_t, qemu_t)
domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_per_role_template'($*)) dnl
')
########################################
##
## Allow the domain to read state files in /proc.
##
##
##
## Domain to allow access.
##
##
#
define(`qemu_read_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_read_state'($*)) dnl
gen_require(`
type qemu_t;
')
read_files_pattern($1, qemu_t, qemu_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_read_state'($*)) dnl
')
########################################
##
## Set the schedule on qemu.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_setsched',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_setsched'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process setsched;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_setsched'($*)) dnl
')
########################################
##
## Execute qemu_exec_t
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute qemu_exec_t
## in the specified domain. This allows
## the specified domain to qemu programs
## on these filesystems in the specified
## domain.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`qemu_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_spec_domtrans'($*)) dnl
gen_require(`
type qemu_exec_t;
')
read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
domain_transition_pattern($1, qemu_exec_t, $2)
allow $3 $1:fd use;
allow $3 $1:fifo_file rw_fifo_file_perms;
allow $3 $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_spec_domtrans'($*)) dnl
')
########################################
##
## Send a signal to qemu.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_signal'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_signal'($*)) dnl
')
########################################
##
## Send a sigill to qemu
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_kill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_kill'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_kill'($*)) dnl
')
########################################
##
## Execute qemu programs in the qemu domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the PAM domain.
##
##
##
##
## The type of the terminal allow the PAM domain to use.
##
##
#
define(`qemu_runas',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_runas'($*)) dnl
gen_require(`
type qemu_t;
')
qemu_domtrans($1)
allow qemu_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_runas'($*)) dnl
')
########################################
##
## Execute qemu programs in the role.
##
##
##
## The role to allow the PAM domain.
##
##
#
define(`qemu_role',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_role'($*)) dnl
gen_require(`
type qemu_t;
')
role $1 types qemu_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_role'($*)) dnl
')
########################################
##
## Execute qemu unconfined programs in the role.
##
##
##
## The role to allow the PAM domain.
##
##
#
define(`qemu_unconfined_role',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_unconfined_role'($*)) dnl
gen_require(`
type qemu_unconfined_t;
')
role $1 types qemu_unconfined_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_unconfined_role'($*)) dnl
')
########################################
##
## Execute a domain transition to run qemu.
##
##
##
## Domain allowed to transition.
##
##
#
define(`qemu_domtrans_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_domtrans_unconfined'($*)) dnl
gen_require(`
type qemu_unconfined_t, qemu_exec_t;
')
domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_domtrans_unconfined'($*)) dnl
')
########################################
##
## Execute qemu programs in the qemu unconfined domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the PAM domain.
##
##
##
##
## The type of the terminal allow the PAM domain to use.
##
##
#
define(`qemu_runas_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_runas_unconfined'($*)) dnl
gen_require(`
type qemu_unconfined_t;
')
qemu_domtrans_unconfined($1)
allow qemu_unconfined_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_runas_unconfined'($*)) dnl
')
########################################
##
## Manage qemu temporary dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_manage_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_dirs'($*)) dnl
gen_require(`
type qemu_tmp_t;
')
manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_dirs'($*)) dnl
')
########################################
##
## Manage qemu temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_manage_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_files'($*)) dnl
gen_require(`
type qemu_tmp_t;
')
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_files'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## qemu process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`qemu_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qemu_domain_template'($*)) dnl
gen_require(`
attribute qemutype;
')
type $1_t, qemutype;
type $1_tmp_t, qemutmpfile;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
type $1_image_t;
virt_image($1_image_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
fs_getattr_tmpfs($1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qemu_domain_template'($*)) dnl
')
## Restricted (scp/sftp) only shell
#######################################
##
## The per role template for the rssh module.
##
##
##
## This template creates a derived domains which are used
## for rssh client sessions. Derived types are also created
## for read-only and read-write file access.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`rssh_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rssh_per_role_template'($*)) dnl
##############################
#
# Declarations
#
type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
domain_type($1_rssh_t)
domain_entry_file($1_rssh_t,rssh_exec_t)
domain_user_exemption_target($1_t)
domain_interactive_fd($1_rssh_t)
role system_r types $1_rssh_t;
type $1_rssh_devpts_t alias rssh_$1_devpts_t;
term_user_pty($1_rssh_t,$1_rssh_devpts_t)
type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
userdom_user_home_content($1,$1_rssh_ro_t)
type $1_rssh_rw_t alias rssh_$1_rw_t;
userdom_user_home_content($1,$1_rssh_rw_t)
##############################
#
# Local policy
#
allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_rssh_t self:fd use;
allow $1_rssh_t self:fifo_file rw_file_perms;
allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
allow $1_rssh_t self:unix_dgram_socket sendto;
allow $1_rssh_t self:unix_stream_socket connectto;
allow $1_rssh_t self:shm create_shm_perms;
allow $1_rssh_t self:sem create_sem_perms;
allow $1_rssh_t self:msgq create_msgq_perms;
allow $1_rssh_t self:msg { send receive };
allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_rssh_t,$1_rssh_devpts_t)
allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
kernel_read_system_state($1_rssh_t)
kernel_read_kernel_sysctls($1_rssh_t)
files_read_etc_files($1_rssh_t)
files_read_etc_runtime_files($1_rssh_t)
files_list_home($1_rssh_t)
files_read_usr_files($1_rssh_t)
files_list_var($1_rssh_t)
fs_search_auto_mountpoints($1_rssh_t)
libs_use_ld_so($1_rssh_t)
libs_use_shared_libs($1_rssh_t)
logging_send_syslog_msg($1_rssh_t)
miscfiles_read_localization($1_rssh_t)
userdom_use_unpriv_users_fds($1_rssh_t)
ssh_rw_tcp_sockets($1_rssh_t)
ssh_rw_stream_sockets($1_rssh_t)
optional_policy(`
nis_use_ypbind($1_rssh_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rssh_per_role_template'($*)) dnl
')
########################################
##
## Transition to all user rssh domains.
##
##
##
## Domain allowed access.
##
##
#
define(`rssh_spec_domtrans_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rssh_spec_domtrans_all_users'($*)) dnl
gen_require(`
attribute rssh_domain_type;
type rssh_exec_t;
')
domain_trans($1,rssh_exec_t,rssh_domain_type)
allow rssh_domain_type $1:fd use;
allow rssh_domain_type $1:fifo_file rw_file_perms;
allow rssh_domain_type $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rssh_spec_domtrans_all_users'($*)) dnl
')
########################################
##
## Read all users rssh read-only content.
##
##
##
## Domain allowed access.
##
##
#
define(`rssh_read_all_users_ro_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rssh_read_all_users_ro_content'($*)) dnl
gen_require(`
attribute rssh_ro_content_type;
')
allow $1 rssh_ro_content_type:dir r_dir_perms;
allow $1 rssh_ro_content_type:file r_file_perms;
allow $1 rssh_ro_content_type:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rssh_read_all_users_ro_content'($*)) dnl
')
## GNU terminal multiplexer
#######################################
##
## The per role template for the screen module.
##
##
##
## This template creates a derived domains which are used
## for screen sessions.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`screen_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `screen_per_role_template'($*)) dnl
gen_require(`
type screen_dir_t, screen_exec_t;
')
########################################
#
# Declarations
#
type $1_screen_t;
domain_type($1_screen_t)
domain_entry_file($1_screen_t,screen_exec_t)
domain_interactive_fd($1_screen_t)
role $3 types $1_screen_t;
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
type $1_screen_ro_home_t;
files_type($1_screen_ro_home_t)
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
########################################
#
# Local policy
#
allow $1_screen_t self:capability { setuid setgid fsetid };
allow $1_screen_t self:process signal_perms;
allow $1_screen_t self:tcp_socket create_stream_socket_perms;
allow $1_screen_t self:udp_socket create_socket_perms;
# Internal screen networking
allow $1_screen_t self:fd use;
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
# Create fifo
allow $1_screen_t screen_dir_t:dir rw_dir_perms;
allow $1_screen_t screen_dir_t:dir create_dir_perms;
allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
domain_auto_trans($2, screen_exec_t, $1_screen_t)
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process { signal sigchld };
allow $1_screen_t $2:fd use;
allow $1_screen_t $2:fifo_file rw_file_perms;
allow $1_screen_t $1_home_dir_t:dir { search getattr };
allow $2 $1_screen_ro_home_t:dir create_dir_perms;
allow $2 $1_screen_ro_home_t:file create_file_perms;
allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
corecmd_list_bin($1_screen_t)
corecmd_read_bin_files($1_screen_t)
corecmd_read_bin_symlinks($1_screen_t)
corecmd_read_bin_pipes($1_screen_t)
corecmd_read_bin_sockets($1_screen_t)
corecmd_list_sbin($1_screen_t)
corecmd_read_sbin_symlinks($1_screen_t)
corecmd_read_sbin_files($1_screen_t)
corecmd_read_sbin_pipes($1_screen_t)
corecmd_read_sbin_sockets($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
corenet_non_ipsec_sendrecv($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_all_nodes($1_screen_t)
corenet_udp_sendrecv_all_nodes($1_screen_t)
corenet_tcp_sendrecv_all_ports($1_screen_t)
corenet_udp_sendrecv_all_ports($1_screen_t)
corenet_tcp_connect_all_ports($1_screen_t)
dev_dontaudit_getattr_all_chr_files($1_screen_t)
dev_dontaudit_getattr_all_blk_files($1_screen_t)
# for SSP
dev_read_urand($1_screen_t)
domain_use_interactive_fds($1_screen_t)
files_search_tmp($1_screen_t)
files_search_home($1_screen_t)
files_list_home($1_screen_t)
files_read_usr_files($1_screen_t)
files_read_etc_files($1_screen_t)
fs_search_auto_mountpoints($1_screen_t)
fs_getattr_xattr_fs($1_screen_t)
auth_dontaudit_read_shadow($1_screen_t)
auth_dontaudit_exec_utempter($1_screen_t)
# Write to utmp.
init_rw_utmp($1_screen_t)
libs_use_ld_so($1_screen_t)
libs_use_shared_libs($1_screen_t)
logging_send_syslog_msg($1_screen_t)
miscfiles_read_localization($1_screen_t)
seutil_read_config($1_screen_t)
sysnet_read_config($1_screen_t)
userdom_use_user_terminals($1,$1_screen_t)
userdom_create_user_pty($1,$1_screen_t)
userdom_user_home_domtrans($1,$1_screen_t,$2)
userdom_setattr_user_ptys($1,$1_screen_t)
tunable_policy(`read_default_t',`
files_list_default($1_screen_t)
files_read_default_files($1_screen_t)
files_read_default_symlinks($1_screen_t)
files_read_default_sockets($1_screen_t)
files_read_default_pipes($1_screen_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t,$2)
fs_read_cifs_symlinks($1_screen_t)
fs_list_cifs($1_screen_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_nfs_domtrans($1_screen_t,$2)
fs_list_nfs($1_screen_t)
fs_read_nfs_symlinks($1_screen_t)
')
optional_policy(`
nis_use_ypbind($1_screen_t)
')
optional_policy(`
nscd_socket_use($1_screen_t)
')
ifdef(`TODO',`
# Inherit and use descriptors from gnome-pty-helper.
optional_policy(`
allow $1_screen_t $1_gph_t:fd use;
')
') dnl TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `screen_per_role_template'($*)) dnl
')
## Update database for mlocate
########################################
##
## Create the locate log with append mode.
##
##
##
## Domain allowed access.
##
##
#
define(`slocate_create_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `slocate_create_append_log'($*)) dnl
gen_require(`
type locate_log_t;
')
logging_search_logs($1)
allow $1 locate_log_t:dir ra_dir_perms;
allow $1 locate_log_t:file { create append getattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `slocate_create_append_log'($*)) dnl
')
########################################
##
## Read locate lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`locate_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locate_read_lib_files'($*)) dnl
gen_require(`
type locate_var_lib_t;
')
read_files_pattern($1,locate_var_lib_t,locate_var_lib_t)
allow $1 locate_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locate_read_lib_files'($*)) dnl
')
## Thunderbird email client
#######################################
##
## The per role template for the thunderbird module.
##
##
##
## This template creates a derived domain which is used
## for the thunderbird email client.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`thunderbird_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `thunderbird_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_thunderbird_t;
domain_type($1_thunderbird_t)
domain_entry_file($1_thunderbird_t,thunderbird_exec_t)
role $3 types $1_thunderbird_t;
type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
files_poly_member($1_thunderbird_home_t)
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
########################################
#
# Local policy
#
allow $1_thunderbird_t self:capability sys_nice;
allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
allow $1_thunderbird_t self:fifo_file { ioctl read write getattr };
allow $1_thunderbird_t self:unix_dgram_socket { create connect };
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
dev_read_urand($1_thunderbird_t)
dev_read_rand($1_thunderbird_t)
# Access ~/.thunderbird
allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
userdom_search_user_home_dirs($1,$1_thunderbird_t)
userdom_dontaudit_list_user_files($1, $1_thunderbird_t)
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $2 $1_thunderbird_t:fd use;
allow $2 $1_thunderbird_t:shm { associate getattr };
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
allow $1_thunderbird_t $2:fd use;
allow $1_thunderbird_t $2:process sigchld;
allow $1_thunderbird_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
allow $2 $1_thunderbird_t:dir { search getattr read };
allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
allow $2 $1_thunderbird_t:process getattr;
# Access ~/.thunderbird
allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
allow $2 $1_thunderbird_home_t:file manage_file_perms;
allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
kernel_read_net_sysctls($1_thunderbird_t)
kernel_read_system_state($1_thunderbird_t)
corecmd_exec_shell($1_thunderbird_t)
# Startup shellscript
corecmd_exec_bin($1_thunderbird_t)
corecmd_search_sbin($1_thunderbird_t)
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
corenet_tcp_sendrecv_http_port($1_thunderbird_t)
corenet_tcp_connect_ipp_port($1_thunderbird_t)
corenet_tcp_connect_ldap_port($1_thunderbird_t)
corenet_tcp_connect_innd_port($1_thunderbird_t)
corenet_tcp_connect_smtp_port($1_thunderbird_t)
corenet_tcp_connect_pop_port($1_thunderbird_t)
corenet_tcp_connect_http_port($1_thunderbird_t)
corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
corenet_sendrecv_innd_client_packets($1_thunderbird_t)
corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
corenet_sendrecv_pop_client_packets($1_thunderbird_t)
corenet_sendrecv_http_client_packets($1_thunderbird_t)
files_list_tmp($1_thunderbird_t)
files_read_usr_files($1_thunderbird_t)
files_read_etc_files($1_thunderbird_t)
files_read_etc_runtime_files($1_thunderbird_t)
files_read_var_files($1_thunderbird_t)
files_read_var_symlinks($1_thunderbird_t)
fs_getattr_xattr_fs($1_thunderbird_t)
# Access ~/.thunderbird
fs_search_auto_mountpoints($1_thunderbird_t)
fs_list_inotifyfs($1_thunderbird_t)
libs_use_shared_libs($1_thunderbird_t)
libs_use_ld_so($1_thunderbird_t)
miscfiles_read_fonts($1_thunderbird_t)
miscfiles_read_localization($1_thunderbird_t)
sysnet_read_config($1_thunderbird_t)
# Allow DNS
sysnet_dns_name_resolve($1_thunderbird_t)
userdom_manage_user_tmp_dirs($1,$1_thunderbird_t)
userdom_read_user_tmp_files($1,$1_thunderbird_t)
userdom_write_user_tmp_sockets($1,$1_thunderbird_t)
userdom_manage_user_tmp_sockets($1,$1_thunderbird_t)
# .kde/....gtkrc
userdom_read_user_home_content_files($1,$1_thunderbird_t)
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files($1_thunderbird_t)
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
')
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_thunderbird_t)
fs_manage_nfs_files($1_thunderbird_t)
fs_manage_nfs_symlinks($1_thunderbird_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_thunderbird_t)
fs_manage_cifs_files($1_thunderbird_t)
fs_manage_cifs_symlinks($1_thunderbird_t)
')
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
files_list_home($1_thunderbird_t)
fs_list_auto_mountpoints($1_thunderbird_t)
fs_read_nfs_files($1_thunderbird_t)
fs_read_nfs_symlinks($1_thunderbird_t)
',`
files_dontaudit_list_home($1_thunderbird_t)
fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
fs_dontaudit_list_nfs($1_thunderbird_t)
fs_dontaudit_read_nfs_files($1_thunderbird_t)
')
tunable_policy(`mail_read_content && use_samba_home_dirs',`
files_list_home($1_thunderbird_t)
fs_list_auto_mountpoints($1_thunderbird_t)
fs_read_cifs_files($1_thunderbird_t)
fs_read_cifs_symlinks($1_thunderbird_t)
',`
files_dontaudit_list_home($1_thunderbird_t)
fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
fs_dontaudit_read_cifs_files($1_thunderbird_t)
fs_dontaudit_list_cifs($1_thunderbird_t)
')
tunable_policy(`mail_read_content',`
userdom_list_user_tmp($1,$1_thunderbird_t)
userdom_read_user_tmp_files($1,$1_thunderbird_t)
userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
userdom_read_user_home_content_files($1,$1_thunderbird_t)
userdom_read_user_home_content_symlinks($1,$1_thunderbird_t)
ifndef(`enable_mls',`
fs_search_removable($1_thunderbird_t)
fs_read_removable_files($1_thunderbird_t)
fs_read_removable_symlinks($1_thunderbird_t)
')
',`
files_dontaudit_list_tmp($1_thunderbird_t)
files_dontaudit_list_home($1_thunderbird_t)
fs_dontaudit_list_removable($1_thunderbird_t)
fs_dontaudit_read_removable_files($1_thunderbird_t)
userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
userdom_dontaudit_read_user_home_content_files($1,$1_thunderbird_t)
')
tunable_policy(`mail_read_content && read_default_t',`
files_list_default($1_thunderbird_t)
files_read_default_files($1_thunderbird_t)
files_read_default_symlinks($1_thunderbird_t)
',`
files_dontaudit_read_default_files($1_thunderbird_t)
files_dontaudit_list_default($1_thunderbird_t)
')
tunable_policy(`mail_read_content && read_untrusted_content',`
files_list_tmp($1_thunderbird_t)
files_list_home($1_thunderbird_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
userdom_list_user_untrusted_content($1,$1_thunderbird_t)
userdom_read_user_untrusted_content_files($1,$1_thunderbird_t)
userdom_read_user_untrusted_content_symlinks($1,$1_thunderbird_t)
userdom_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
userdom_read_user_tmp_untrusted_content_symlinks($1,$1_thunderbird_t)
',`
files_dontaudit_list_tmp($1_thunderbird_t)
files_dontaudit_list_home($1_thunderbird_t)
userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
userdom_dontaudit_list_user_untrusted_content($1,$1_thunderbird_t)
userdom_dontaudit_read_user_untrusted_content_files($1,$1_thunderbird_t)
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_thunderbird_t)
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_thunderbird_t)
')
# Manage nfs homedirs
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
files_search_home($1_thunderbird_t)
fs_search_auto_mountpoints($1_thunderbird_t)
fs_manage_nfs_dirs($1_thunderbird_t)
fs_manage_nfs_files($1_thunderbird_t)
fs_manage_nfs_symlinks($1_thunderbird_t)
',`
fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
fs_dontaudit_manage_nfs_files($1_thunderbird_t)
')
# Manage samba homedirs
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
files_search_home($1_thunderbird_t)
fs_search_auto_mountpoints($1_thunderbird_t)
fs_manage_cifs_dirs($1_thunderbird_t)
fs_manage_cifs_files($1_thunderbird_t)
fs_manage_cifs_symlinks($1_thunderbird_t)
',`
fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
fs_dontaudit_manage_cifs_files($1_thunderbird_t)
')
# Manage /tmp and /home
tunable_policy(`write_untrusted_content',`
files_search_home($1_thunderbird_t)
files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file)
userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir)
',`
files_dontaudit_list_home($1_thunderbird_t)
files_dontaudit_list_tmp($1_thunderbird_t)
userdom_dontaudit_list_user_home_dirs($1,$1_thunderbird_t)
userdom_dontaudit_manage_user_tmp_dirs($1,$1_thunderbird_t)
userdom_dontaudit_manage_user_tmp_files($1,$1_thunderbird_t)
userdom_dontaudit_manage_user_home_content_dirs($1,$1_thunderbird_t)
')
optional_policy(`
nscd_socket_use($1_thunderbird_t)
')
optional_policy(`
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
dbus_send_user_bus($1,$1_thunderbird_t)
')
optional_policy(`
lpd_domtrans_user_lpr($1,$1_thunderbird_t)
')
optional_policy(`
cups_read_rw_config($1_thunderbird_t)
')
optional_policy(`
gpg_domtrans_user_gpg($1,$1_thunderbird_t)
')
optional_policy(`
nis_use_ypbind($1_thunderbird_t)
')
optional_policy(`
ssh_dontaudit_use_user_ssh_agent_fds($1, $1_thunderbird_t)
')
optional_policy(`
gnome_stream_connect_gconf_template($1,$1_thunderbird_t)
gnome_domtrans_user_gconf($1, $1_thunderbird_t)
gnome_manage_user_gnome_config($1, $1_thunderbird_t)
')
optional_policy(`
mozilla_read_user_home_files($1, $1_thunderbird_t)
mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
')
ifdef(`TODO',`
# FIXME: Rules were removed to centralize policy in a gnome_app macro
# A similar thing might be necessary for mozilla compiled without GNOME
# support (is this possible?).
# GNOME support
optional_policy(`
gnome_application($1_thunderbird, $1)
gnome_file_dialog($1_thunderbird, $1)
allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
')
optinal_policy(`
allow $1_t $2_dbusd_t:dbus send_msg;
ifdef(`cups.te', `
allow cupsd_t $1_t:dbus send_msg;
')
')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `thunderbird_per_role_template'($*)) dnl
')
########################################
##
## Run thunderbird in user thunderbird domain.
##
##
##
## Run thunderbird in thunderbird domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`thunderbird_domtrans_user_thunderbird',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `thunderbird_domtrans_user_thunderbird'($*)) dnl
gen_require(`
type $1_thunderbird_t, thunderbird_exec_t;
')
domain_auto_trans($2,thunderbird_exec_t,$1_thunderbird_t)
allow $2 $1_thunderbird_t:fd use;
allow $1_thunderbird_t $2:fd use;
allow $1_thunderbird_t $2:fifo_file rw_file_perms;
allow $1_thunderbird_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `thunderbird_domtrans_user_thunderbird'($*)) dnl
')
## tvtime - a high quality television application
#######################################
##
## The per role template for the tvtime module.
##
##
##
## This template creates a derived domains which are used
## for tvtime.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`tvtime_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tvtime_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_tvtime_t;
domain_type($1_tvtime_t)
domain_entry_file($1_tvtime_t,tvtime_exec_t)
role $3 types $1_tvtime_t;
type $1_tvtime_home_t alias $1_tvtime_rw_t;
userdom_user_home_content($1,$1_tvtime_home_t)
files_poly_member($1_tvtime_home_t)
type $1_tvtime_tmp_t;
files_tmp_file($1_tvtime_tmp_t)
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
########################################
#
# Local policy
#
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Type transition
domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
allow $2 $1_tvtime_t:fd use;
allow $1_tvtime_t $2:fd use;
allow $1_tvtime_t $2:fifo_file rw_file_perms;
allow $1_tvtime_t $2:process sigchld;
# X access, Home files
allow $2 $1_tvtime_home_t:dir manage_dir_perms;
allow $2 $1_tvtime_home_t:file manage_file_perms;
allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# Allow the user domain to signal/ps.
allow $2 $1_tvtime_t:dir { search getattr read };
allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
allow $2 $1_tvtime_t:process getattr;
allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t)
kernel_get_sysvipc_info($1_tvtime_t)
dev_read_urand($1_tvtime_t)
dev_read_realtime_clock($1_tvtime_t)
dev_read_sound($1_tvtime_t)
files_read_usr_files($1_tvtime_t)
files_search_pids($1_tvtime_t)
# Read /etc/tvtime
files_read_etc_files($1_tvtime_t)
# X access, Home files
fs_search_auto_mountpoints($1_tvtime_t)
libs_use_ld_so($1_tvtime_t)
libs_use_shared_libs($1_tvtime_t)
miscfiles_read_localization($1_tvtime_t)
miscfiles_read_fonts($1_tvtime_t)
userdom_use_user_terminals($1,$1_tvtime_t)
userdom_read_user_home_content_files($1,$1_tvtime_t)
# X access, Home files
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_tvtime_t)
fs_manage_nfs_files($1_tvtime_t)
fs_manage_nfs_symlinks($1_tvtime_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_tvtime_t)
fs_manage_cifs_files($1_tvtime_t)
fs_manage_cifs_symlinks($1_tvtime_t)
')
optional_policy(`
xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tvtime_per_role_template'($*)) dnl
')
## Policy for UML
#######################################
##
## The per role template for the uml module.
##
##
##
## This template creates a derived domains which are used
## for uml program.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`uml_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uml_per_role_template'($*)) dnl
########################################
#
# Declarations
#
type $1_uml_t;
domain_type($1_uml_t)
role $3 types $1_uml_t;
type $1_uml_exec_t;
domain_entry_file($1_uml_t,$1_uml_exec_t)
type $1_uml_ro_t;
files_type($1_uml_ro_t)
type $1_uml_rw_t;
files_type($1_uml_rw_t)
type $1_uml_tmp_t;
files_tmp_file($1_uml_tmp_t)
type $1_uml_tmpfs_t;
files_tmpfs_file($1_uml_tmpfs_t)
type $1_uml_devpts_t;
term_pty($1_uml_devpts_t)
########################################
#
# Local policy
#
allow $1_uml_t self:fifo_file rw_file_perms;
allow $1_uml_t self:process { signal_perms ptrace };
allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
allow $1_uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
allow $1_uml_t self:tcp_socket create_stream_socket_perms;
allow $1_uml_t self:udp_socket create_socket_perms;
allow $1_uml_t $2:process sigchld;
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
# allow the UML thing to happen
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_uml_t,$1_uml_devpts_t)
allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
can_exec($1_uml_t, $1_uml_tmp_t)
allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
can_exec($1_uml_t, $1_uml_tmpfs_t)
# access config files
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
allow $1_uml_t $1_uml_rw_t:file create_file_perms;
allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
allow $2 uml_ro_t:dir r_dir_perms;
allow $2 uml_ro_t:file r_file_perms;
allow $2 uml_ro_t:lnk_file { getattr read };
allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
allow $2 $1_uml_t:process ptrace;
allow $2 $1_uml_t:process signal_perms;
# allow ps, ptrace, signal
allow $2 $1_uml_t:dir { search getattr read };
allow $2 $1_uml_t:{ file lnk_file } { read getattr };
allow $2 $1_uml_t:process getattr;
allow $2 $1_uml_tmp_t:dir create_dir_perms;
allow $2 $1_uml_tmp_t:file create_file_perms;
allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
allow $2 $1_uml_tmp_t:sock_file create_file_perms;
# Transition from the user domain to this domain.
domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
# for mconsole
allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
allow $1_uml_t $2:unix_dgram_socket sendto;
kernel_read_system_state($1_uml_t)
# for SKAS - need something better
kernel_write_proc_files($1_uml_t)
# for xterm
corecmd_exec_bin($1_uml_t)
corecmd_exec_sbin($1_uml_t)
corenet_non_ipsec_sendrecv($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
corenet_udp_sendrecv_generic_if($1_uml_t)
corenet_tcp_sendrecv_all_nodes($1_uml_t)
corenet_udp_sendrecv_all_nodes($1_uml_t)
corenet_tcp_sendrecv_all_ports($1_uml_t)
corenet_udp_sendrecv_all_ports($1_uml_t)
corenet_tcp_connect_all_ports($1_uml_t)
corenet_sendrecv_all_client_packets($1_uml_t)
corenet_rw_tun_tap_dev($1_uml_t)
domain_use_interactive_fds($1_uml_t)
# for xterm
files_read_etc_files($1_uml_t)
files_dontaudit_read_etc_runtime_files($1_uml_t)
# putting uml data under /var is usual...
files_search_var($1_uml_t)
fs_getattr_xattr_fs($1_uml_t)
init_read_utmp($1_uml_t)
init_dontaudit_write_utmp($1_uml_t)
# for xterm
libs_use_ld_so($1_uml_t)
libs_use_shared_libs($1_uml_t)
libs_exec_lib_files($1_uml_t)
# Inherit and use descriptors from newrole.
seutil_use_newrole_fds($1_uml_t)
# Use the network.
sysnet_read_config($1_uml_t)
userdom_use_user_terminals($1,$1_uml_t)
optional_policy(`
nis_use_ypbind($1_uml_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uml_per_role_template'($*)) dnl
')
########################################
##
## Set attributes on uml utility socket files.
##
##
##
## Domain allowed access.
##
##
#
define(`uml_setattr_util_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uml_setattr_util_sockets'($*)) dnl
gen_require(`
type uml_switch_var_run_t;
')
allow $1 uml_switch_var_run_t:sock_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uml_setattr_util_sockets'($*)) dnl
')
########################################
##
## Manage uml utility files.
##
##
##
## Domain allowed access.
##
##
#
define(`uml_manage_util_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uml_manage_util_files'($*)) dnl
gen_require(`
type uml_switch_var_run_t;
')
allow $1 uml_switch_var_run_t:dir rw_dir_perms;
allow $1 uml_switch_var_run_t:file create_file_perms;
allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uml_manage_util_files'($*)) dnl
')
## SELinux utility to run a shell with a new role
#######################################
##
## The per role template for the userhelper module.
##
##
##
## This template creates a derived domains which are used
## for userhelper.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`userhelper_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_per_role_template'($*)) dnl
gen_require(`
type userhelper_exec_t, userhelper_conf_t;
')
########################################
#
# Declarations
#
type $1_userhelper_t;
domain_type($1_userhelper_t)
domain_entry_file($1_userhelper_t,userhelper_exec_t)
domain_role_change_exemption($1_userhelper_t)
domain_obj_id_change_exemption($1_userhelper_t)
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
role $3 types $1_userhelper_t;
########################################
#
# Local policy
#
allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_userhelper_t self:fd use;
allow $1_userhelper_t self:fifo_file rw_file_perms;
allow $1_userhelper_t self:shm create_shm_perms;
allow $1_userhelper_t self:sem create_sem_perms;
allow $1_userhelper_t self:msgq create_msgq_perms;
allow $1_userhelper_t self:msg { send receive };
allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_userhelper_t self:unix_dgram_socket sendto;
allow $1_userhelper_t self:unix_stream_socket connectto;
allow $1_userhelper_t self:sock_file r_file_perms;
#Transition to the derived domain.
domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
allow $2 $1_userhelper_t:fd use;
allow $1_userhelper_t $2:fd use;
allow $1_userhelper_t $2:fifo_file rw_file_perms;
allow $1_userhelper_t $2:process sigchld;
allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
can_exec($1_userhelper_t, userhelper_exec_t)
dontaudit $2 $1_userhelper_t:process signal;
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
kernel_read_system_state($1_userhelper_t)
# Execute shells
corecmd_exec_shell($1_userhelper_t)
# By default, revert to the calling domain when a program is executed
corecmd_bin_domtrans($1_userhelper_t,$2)
corecmd_sbin_domtrans($1_userhelper_t,$2)
# Inherit descriptors from the current session.
domain_use_interactive_fds($1_userhelper_t)
# for when the user types "exec userhelper" at the command line
domain_sigchld_interactive_fds($1_userhelper_t)
dev_read_urand($1_userhelper_t)
# Read /dev directories and any symbolic links.
dev_list_all_dev_nodes($1_userhelper_t)
files_list_var_lib($1_userhelper_t)
# Write to utmp.
files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
# Read the /etc/security/default_type file
files_read_etc_files($1_userhelper_t)
# Read /var.
files_read_var_files($1_userhelper_t)
files_read_var_symlinks($1_userhelper_t)
# for some PAM modules and for cwd
files_search_home($1_userhelper_t)
fs_search_auto_mountpoints($1_userhelper_t)
fs_read_nfs_files($1_userhelper_t)
fs_read_nfs_symlinks($1_userhelper_t)
# Allow $1_userhelper to obtain contexts to relabel TTYs
selinux_get_fs_mount($1_userhelper_t)
selinux_validate_context($1_userhelper_t)
selinux_compute_access_vector($1_userhelper_t)
selinux_compute_create_context($1_userhelper_t)
selinux_compute_relabel_context($1_userhelper_t)
selinux_compute_user_contexts($1_userhelper_t)
# Read the devpts root directory.
term_list_ptys($1_userhelper_t)
# Relabel terminals.
term_relabel_all_user_ttys($1_userhelper_t)
term_relabel_all_user_ptys($1_userhelper_t)
# Access terminals.
term_use_all_user_ttys($1_userhelper_t)
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
auth_domtrans_upd_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
# Inherit descriptors from the current session.
init_use_fds($1_userhelper_t)
# Write to utmp.
init_manage_utmp($1_userhelper_t)
libs_use_ld_so($1_userhelper_t)
libs_use_shared_libs($1_userhelper_t)
miscfiles_read_localization($1_userhelper_t)
seutil_read_config($1_userhelper_t)
seutil_read_default_contexts($1_userhelper_t)
userdom_use_unpriv_users_fds($1_userhelper_t)
# Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
optional_policy(`
# Allow transitioning to rpm_t, for up2date
rpm_domtrans($1_userhelper_t)
')
')
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
')
optional_policy(`
ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
')
optional_policy(`
logging_send_syslog_msg($1_userhelper_t)
')
optional_policy(`
nis_use_ypbind($1_userhelper_t)
')
optional_policy(`
nscd_socket_use($1_userhelper_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_per_role_template'($*)) dnl
')
########################################
##
## Search the userhelper configuration directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_search_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_search_config'($*)) dnl
gen_require(`
type userhelper_conf_t;
')
allow $1 userhelper_conf_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_search_config'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the userhelper configuration directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userhelper_dontaudit_search_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_search_config'($*)) dnl
gen_require(`
type userhelper_conf_t;
')
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_search_config'($*)) dnl
')
########################################
##
## Allow domain to use userhelper file descriptor.
##
##
##
## The prefix of the domain, example user is the prefix of user_t.
##
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_use_user_fd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_use_user_fd'($*)) dnl
gen_require(`
type $1_userhelper_t;
')
allow $2 $1_userhelper_t:fd use;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_use_user_fd'($*)) dnl
')
########################################
##
## Allow domain to send sigchld to userhelper.
##
##
##
## The prefix of the domain, example user is the prefix of user_t.
##
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_sigchld_user',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_sigchld_user'($*)) dnl
gen_require(`
type $1_userhelper_t;
')
allow $2 $1_userhelper_t:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_sigchld_user'($*)) dnl
')
########################################
##
## Execute the userhelper program in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`userhelper_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userhelper_exec'($*)) dnl
gen_require(`
type userhelper_exec_t;
')
can_exec($1,userhelper_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userhelper_exec'($*)) dnl
')
## User network interface configuration helper
########################################
##
## Execute usernetctl in the usernetctl domain.
##
##
##
## Domain allowed access.
##
##
#
define(`usernetctl_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usernetctl_domtrans'($*)) dnl
gen_require(`
type usernetctl_t, usernetctl_exec_t;
')
tunable_policy(`user_net_control',`
domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
allow $1 usernetctl_t:fd use;
allow usernetctl_t $1:fd use;
allow usernetctl_t $1:fifo_file rw_file_perms;
allow usernetctl_t $1:process sigchld;
',`
can_exec($1,usernetctl_exec_t)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usernetctl_domtrans'($*)) dnl
')
########################################
##
## Execute usernetctl in the usernetctl domain, and
## allow the specified role the usernetctl domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the usernetctl domain.
##
##
##
##
## The type of the terminal allow the usernetctl domain to use.
##
##
##
#
define(`usernetctl_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `usernetctl_run'($*)) dnl
gen_require(`
type usernetctl_t;
')
usernetctl_domtrans($1)
role $2 types usernetctl_t;
allow usernetctl_t $3:chr_file rw_term_perms;
sysnet_run_ifconfig(usernetctl_t,$2,$3)
sysnet_run_dhcpc(usernetctl_t,$2,$3)
optional_policy(`
consoletype_run(usernetctl_t,$2,$3)
')
optional_policy(`
iptables_run(usernetctl_t,$2,$3)
')
optional_policy(`
modutils_run_insmod(usernetctl_t,$2,$3)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `usernetctl_run'($*)) dnl
')
## VMWare Workstation virtual machines
#######################################
##
## The per role template for the vmware module.
##
##
##
## This template creates a derived domain which is used
## for vmware sessions.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`vmware_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vmware_per_role_template'($*)) dnl
##############################
#
# Declarations
#
type $1_vmware_t;
domain_type($1_vmware_t)
domain_entry_file($1_vmware_t,vmware_exec_t)
role $3 types $1_vmware_t;
type $1_vmware_conf_t;
userdom_user_home_content($1,$1_vmware_conf_t)
type $1_vmware_file_t;
userdom_user_home_content($1,$1_vmware_file_t)
type $1_vmware_tmp_t;
files_tmp_file($1_vmware_tmp_t)
type $1_vmware_tmpfs_t;
files_tmpfs_file($1_vmware_tmpfs_t)
type $1_vmware_var_run_t;
files_pid_file($1_vmware_var_run_t)
##############################
#
# Local policy
#
domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
allow $1_vmware_t $2:fd use;
allow $1_vmware_t $2:fifo_file rw_file_perms;
allow $1_vmware_t $2:process sigchld;
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit $1_vmware_t self:capability sys_tty_config;
allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_vmware_t self:process { execmem execstack };
allow $1_vmware_t self:fd use;
allow $1_vmware_t self:fifo_file rw_file_perms;
allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
allow $1_vmware_t self:unix_dgram_socket sendto;
allow $1_vmware_t self:unix_stream_socket connectto;
allow $1_vmware_t self:shm create_shm_perms;
allow $1_vmware_t self:sem create_sem_perms;
allow $1_vmware_t self:msgq create_msgq_perms;
allow $1_vmware_t self:msg { send receive };
can_exec($1_vmware_t, vmware_exec_t)
# User configuration files
allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
# VMWare disks
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read clobal configuration files
allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
kernel_read_system_state($1_vmware_t)
kernel_read_network_state($1_vmware_t)
kernel_read_kernel_sysctls($1_vmware_t)
# startup scripts
corecmd_exec_bin($1_vmware_t)
corecmd_exec_shell($1_vmware_t)
dev_read_raw_memory($1_vmware_t)
dev_write_raw_memory($1_vmware_t)
dev_read_mouse($1_vmware_t)
dev_write_sound($1_vmware_t)
dev_read_realtime_clock($1_vmware_t)
dev_rwx_vmware($1_vmware_t)
dev_rw_usbfs($1_vmware_t)
dev_search_sysfs($1_vmware_t)
domain_use_interactive_fds($1_vmware_t)
files_read_etc_files($1_vmware_t)
files_read_etc_runtime_files($1_vmware_t)
files_read_usr_files($1_vmware_t)
files_list_home($1_vmware_t)
fs_getattr_xattr_fs($1_vmware_t)
fs_search_auto_mountpoints($1_vmware_t)
storage_raw_read_removable_device($1_vmware_t)
storage_raw_write_removable_device($1_vmware_t)
libs_use_ld_so($1_vmware_t)
libs_use_shared_libs($1_vmware_t)
# startup scripts run ldd
libs_exec_ld_so($1_vmware_t)
# Access X11 config files
libs_read_lib_files($1_vmware_t)
miscfiles_read_localization($1_vmware_t)
userdom_use_user_terminals($1,$1_vmware_t)
userdom_use_unpriv_users_fds($1_vmware_t)
userdom_list_user_home_dirs($1,$1_vmware_t)
# cjp: why?
userdom_read_user_home_content_files($1,$1_vmware_t)
sysnet_dns_name_resolve($1_vmware_t)
sysnet_read_config($1_vmware_t)
xserver_user_client_template($1,$1_vmware_t,$1_vmware_tmpfs_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vmware_per_role_template'($*)) dnl
')
########################################
##
## Read VMWare system configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_read_system_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vmware_read_system_config'($*)) dnl
gen_require(`
type vmware_sys_conf_t;
')
allow $1 vmware_sys_conf_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vmware_read_system_config'($*)) dnl
')
########################################
##
## Append to VMWare system configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_append_system_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `vmware_append_system_config'($*)) dnl
gen_require(`
type vmware_sys_conf_t;
')
allow $1 vmware_sys_conf_t:file append;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `vmware_append_system_config'($*)) dnl
')
## Web server log analysis
########################################
##
## Execute webalizer in the webalizer domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`webalizer_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `webalizer_domtrans'($*)) dnl
gen_require(`
type webalizer_t, webalizer_exec_t;
')
domain_auto_trans($1,webalizer_exec_t,webalizer_t)
allow $1 webalizer_t:fd use;
allow webalizer_t $1:fd use;
allow webalizer_t $1:fifo_file rw_file_perms;
allow webalizer_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `webalizer_domtrans'($*)) dnl
')
########################################
##
## Execute webalizer in the webalizer domain, and
## allow the specified role the webalizer domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the webalizer domain.
##
##
##
##
## The type of the terminal allow the webalizer domain to use.
##
##
##
#
define(`webalizer_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `webalizer_run'($*)) dnl
gen_require(`
type webalizer_t;
')
webalizer_domtrans($1)
role $2 types webalizer_t;
allow webalizer_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `webalizer_run'($*)) dnl
')
## Wine Is Not an Emulator. Run Windows programs in Linux.
########################################
##
## Execute the wine program in the wine domain.
##
##
##
## Domain allowed access.
##
##
#
define(`wine_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `wine_domtrans'($*)) dnl
gen_require(`
type wine_t, wine_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, wine_exec_t, wine_t)
allow $1 wine_t:fd use;
allow wine_t $1:fd use;
allow wine_t $1:fifo_file rw_file_perms;
allow wine_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `wine_domtrans'($*)) dnl
')
## Yum/Apt Mirroring
########################################
##
## Execute yam in the yam domain.
##
##
##
## Domain allowed access.
##
##
#
define(`yam_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `yam_domtrans'($*)) dnl
gen_require(`
type yam_t, yam_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,yam_exec_t,yam_t)
allow $1 yam_t:fd use;
allow yam_t $1:fd use;
allow yam_t $1:fifo_file rw_file_perms;
allow yam_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `yam_domtrans'($*)) dnl
')
########################################
##
## Execute yam in the yam domain, and
## allow the specified role the yam domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the yam domain.
##
##
##
##
## The type of the terminal allow the yam domain to use.
##
##
##
#
define(`yam_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `yam_run'($*)) dnl
gen_require(`
type yam_t;
')
yam_domtrans($1)
role $2 types yam_t;
allow yam_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `yam_run'($*)) dnl
')
########################################
##
## Read yam content.
##
##
##
## Domain allowed access.
##
##
#
define(`yam_read_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `yam_read_content'($*)) dnl
gen_require(`
type yam_content_t;
')
allow $1 yam_content_t:dir list_dir_perms;
allow $1 yam_content_t:file read_file_perms;
allow $1 yam_content_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `yam_read_content'($*)) dnl
')
##
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
##
##
## Contains the base bin and sbin directory types
## which need to be searched for the kernel to
## run init.
##
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`corecmd_executable_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_executable_file'($*)) dnl
gen_require(`
attribute exec_type;
')
typeattribute $1 exec_type;
files_type($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_executable_file'($*)) dnl
')
########################################
##
## Create a aliased type to generic bin files.
##
##
##
## Create a aliased type to generic bin files.
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## Alias type for bin_t.
##
##
#
define(`corecmd_bin_alias',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_alias'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type bin_t;
')
typealias bin_t alias $1;
',`
refpolicywarn(`$0($*) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_alias'($*)) dnl
')
########################################
##
## Make general progams in bin an entrypoint for
## the specified domain.
##
##
##
## The domain for which bin_t is an entrypoint.
##
##
#
define(`corecmd_bin_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_entry_type'($*)) dnl
gen_require(`
type bin_t;
')
domain_entry_file($1,bin_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_entry_type'($*)) dnl
')
########################################
##
## Make general progams in sbin an entrypoint for
## the specified domain.
##
##
##
## The domain for which sbin programs are an entrypoint.
##
##
#
define(`corecmd_sbin_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_entry_type'($*)) dnl
gen_require(`
type sbin_t;
')
domain_entry_file($1,sbin_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_entry_type'($*)) dnl
')
########################################
##
## Make the shell an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
define(`corecmd_shell_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_entry_type'($*)) dnl
gen_require(`
type shell_exec_t;
')
domain_entry_file($1,shell_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_entry_type'($*)) dnl
')
########################################
##
## Search the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_search_bin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_search_bin'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_search_bin'($*)) dnl
')
########################################
##
## List the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_list_bin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_list_bin'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_list_bin'($*)) dnl
')
########################################
##
## Get the attributes of files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_getattr_bin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_bin_files'($*)) dnl
')
########################################
##
## Read files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_files'($*)) dnl
')
########################################
##
## Read symbolic links in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_symlinks'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_symlinks'($*)) dnl
')
########################################
##
## Read pipes in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_pipes'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:fifo_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_pipes'($*)) dnl
')
########################################
##
## Read named sockets in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_sockets'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:sock_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_sockets'($*)) dnl
')
########################################
##
## Execute generic programs in bin directories,
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_bin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_bin'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,bin_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_bin'($*)) dnl
')
########################################
##
## Create, read, write, and delete bin files.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_manage_bin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir rw_dir_perms;
allow $1 bin_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_bin_files'($*)) dnl
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_relabel_bin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_files'($*)) dnl
')
########################################
##
## Mmap a bin file as executable.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_mmap_bin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { getattr read execute };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_bin_files'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_bin_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_spec_domtrans'($*)) dnl
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:lnk_file { getattr read };
domain_trans($1,bin_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the specified domain.
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_bin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_domtrans'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_bin_spec_domtrans($1,$2)
type_transition $1 bin_t:process $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_domtrans'($*)) dnl
')
########################################
##
## Search the contents of sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_search_sbin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_search_sbin'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_search_sbin'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## sbin directories.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_search_sbin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_sbin'($*)) dnl
gen_require(`
type sbin_t;
')
dontaudit $1 sbin_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_sbin'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## sbin directories.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_write_sbin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_sbin'($*)) dnl
gen_require(`
type sbin_t;
')
dontaudit $1 sbin_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_sbin'($*)) dnl
')
########################################
##
## List the contents of sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_list_sbin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_list_sbin'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_list_sbin'($*)) dnl
')
########################################
##
## Get the attributes of sbin files.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_getattr_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_sbin_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attibutes
## of sbin files.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_getattr_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
dontaudit $1 sbin_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_sbin_files'($*)) dnl
')
########################################
##
## Read files in sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_files'($*)) dnl
')
########################################
##
## Read symbolic links in sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_symlinks'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_symlinks'($*)) dnl
')
########################################
##
## Read named pipes in sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_pipes'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:fifo_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_pipes'($*)) dnl
')
########################################
##
## Read named sockets in sbin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_sockets'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:sock_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_sockets'($*)) dnl
')
########################################
##
## Execute generic programs in sbin directories,
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_sbin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_sbin'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir list_dir_perms;
allow $1 sbin_t:lnk_file read_file_perms;
can_exec($1,sbin_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_sbin'($*)) dnl
')
########################################
##
## Create, read, write, and delete sbin files.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_manage_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir rw_dir_perms;
allow $1 sbin_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_sbin_files'($*)) dnl
')
########################################
##
## Relabel to and from the sbin type.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_relabel_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_sbin_files'($*)) dnl
')
########################################
##
## Mmap a sbin file as executable.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_mmap_sbin_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_sbin_files'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file { getattr read execute };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_sbin_files'($*)) dnl
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain.
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_sbin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_domtrans'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_auto_trans($1,sbin_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_domtrans'($*)) dnl
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_sbin_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_spec_domtrans'($*)) dnl
gen_require(`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_trans($1,sbin_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_spec_domtrans'($*)) dnl
')
########################################
##
## Check if a shell is executable (DAC-wise).
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_check_exec_shell',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_check_exec_shell'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
allow $1 shell_exec_t:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_check_exec_shell'($*)) dnl
')
########################################
##
## Execute a shell in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_shell',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_shell'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,shell_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_shell'($*)) dnl
')
########################################
##
## Execute ls in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_ls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_ls'($*)) dnl
gen_require(`
type bin_t, ls_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,ls_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_ls'($*)) dnl
')
########################################
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the shell process.
##
##
#
define(`corecmd_shell_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_spec_domtrans'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
domain_trans($1,shell_exec_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a shell in the specified domain.
##
##
##
## Execute a shell in the specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the shell process.
##
##
#
define(`corecmd_shell_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_domtrans'($*)) dnl
gen_require(`
type shell_exec_t;
')
corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_domtrans'($*)) dnl
')
########################################
##
## Execute chroot in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_chroot',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_chroot'($*)) dnl
gen_require(`
type chroot_exec_t;
')
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_chroot'($*)) dnl
')
########################################
##
## Execute all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_exec_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t, sbin_t;
')
ifdef(`targeted_policy',`
can_exec($1,exec_type)
', `
# Need this dontaudit or command completion fires hundreds of avcs
dontaudit $1 exec_type:file execute;
corecmd_exec_bin($1)
corecmd_exec_sbin($1)
corecmd_exec_shell($1)
corecmd_exec_ls($1)
corecmd_exec_chroot($1)
')
userdom_exec($1)
allow $1 { bin_t sbin_t }:dir list_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_all_executables'($*)) dnl
')
########################################
##
## Create, read, write, and all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_manage_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t, sbin_t;
')
userdom_manage_user_executables($1)
allow $1 exec_type:file manage_file_perms;
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_all_executables'($*)) dnl
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_relabel_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
allow $1 exec_type:file { relabelfrom relabelto };
userdom_relabel_all_executables($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_all_executables'($*)) dnl
')
########################################
##
## Mmap all executables as executable.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_mmap_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
allow $1 exec_type:file { getattr read execute };
userdom_mmap_all_executables($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_all_executables'($*)) dnl
')
########################################
##
## getattr all executables
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_getattr_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
allow $1 bin_t:dir list_dir_perms;
getattr_files_pattern($1,bin_t,exec_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_all_executables'($*)) dnl
')
########################################
##
## dontaudit checking for execute privs on all executables
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_dontaudit_exec_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_exec_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
dontaudit $1 exec_type:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_exec_all_executables'($*)) dnl
')
#
# This is a generated file! Instead of modifying this file, the
# corenetwork.if.in or corenetwork.if.m4 file should be modified.
#
## Policy controlling access to network objects
##
## Contains the initial SIDs for network objects.
##
########################################
##
## Send and receive TCP network traffic on the generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`corenet_tcp_sendrecv_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_if'($*)) dnl
')
########################################
##
## Dontaudit attempts to send UDP network traffic
## on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_send_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
dontaudit $1 netif_t:netif udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_generic_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_if'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP network
## traffic on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_receive_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
dontaudit $1 netif_t:netif udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_generic_if'($*)) dnl
')
########################################
##
## Send and Receive UDP network traffic on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_if'($*)) dnl
corenet_udp_send_generic_if($1)
corenet_udp_receive_generic_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive UDP network
## traffic on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_sendrecv_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl
corenet_dontaudit_udp_send_generic_if($1)
corenet_dontaudit_udp_receive_generic_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Send raw IP packets on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_send_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_if'($*)) dnl
')
########################################
##
## Receive raw IP packets on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_receive_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on generic interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_sendrecv_generic_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_if'($*)) dnl
corenet_raw_send_generic_if($1)
corenet_raw_receive_generic_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_if'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_if'($*)) dnl
corenet_udp_send_all_if($1)
corenet_udp_receive_all_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send raw IP packets on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_send_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_if'($*)) dnl
')
########################################
##
## Receive raw IP packets on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_receive_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on all interfaces.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_sendrecv_all_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_if'($*)) dnl
corenet_raw_send_all_if($1)
corenet_raw_receive_all_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_node'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_node'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_node'($*)) dnl
corenet_udp_send_generic_node($1)
corenet_udp_receive_generic_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Send raw IP packets on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_send_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_receive_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_sendrecv_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_node'($*)) dnl
corenet_raw_send_generic_node($1)
corenet_raw_receive_generic_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_generic_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_node'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Send UDP network traffic on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP network
## traffic on any nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_send_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
dontaudit $1 node_type:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_all_nodes'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP
## network traffic on all nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_receive_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
dontaudit $1 node_type:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_nodes'($*)) dnl
corenet_udp_send_all_nodes($1)
corenet_udp_receive_all_nodes($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive UDP
## network traffic on any nodes nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_sendrecv_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl
corenet_dontaudit_udp_send_all_nodes($1)
corenet_dontaudit_udp_receive_all_nodes($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Send raw IP packets on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_send_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_nodes'($*)) dnl
')
########################################
##
## Receive raw IP packets on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_receive_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_nodes'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_raw_sendrecv_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_nodes'($*)) dnl
corenet_raw_send_all_nodes($1)
corenet_raw_receive_all_nodes($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Bind TCP sockets to all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_nodes'($*)) dnl
')
########################################
##
## Bind UDP sockets to all nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_nodes'($*)) dnl
')
########################################
##
## Bind raw sockets to all nodes.
##
##
##
## The type of the process performing this action.
##
##
# rawip_socket node_bind does not make much sense.
# cjp: vmware hits this too
define(`corenet_raw_bind_all_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:rawip_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_bind_all_nodes'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Do not audit send and receive TCP network traffic on generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_dontaudit_tcp_sendrecv_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t;
')
dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_port'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_port'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_port'($*)) dnl
corenet_udp_send_generic_port($1)
corenet_udp_receive_generic_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_port'($*)) dnl
')
########################################
##
## Do not audit bind TCP sockets to generic ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl
gen_require(`
type port_t;
')
dontaudit $1 port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_port'($*)) dnl
')
########################################
##
## Connect TCP sockets to generic ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_connect_generic_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_generic_port'($*)) dnl
gen_require(`
type port_t;
')
allow $1 port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_generic_port'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_ports'($*)) dnl
')
########################################
##
## Send UDP network traffic on all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_ports'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_ports'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_ports'($*)) dnl
corenet_udp_send_all_ports($1)
corenet_udp_receive_all_ports($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ports'($*)) dnl
')
########################################
##
## Do not audit attepts to bind TCP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to all ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_connect_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to rpc ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_connect_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## all rpc ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_reserved_port'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_reserved_port'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_reserved_port'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_reserved_port'($*)) dnl
corenet_udp_send_reserved_port($1)
corenet_udp_receive_reserved_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_reserved_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_reserved_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_reserved_port'($*)) dnl
')
########################################
##
## Connect TCP sockets to generic reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_connect_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_reserved_port'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_sendrecv_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl
')
########################################
##
## Send UDP network traffic on all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_send_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_reserved_ports'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_receive_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_reserved_ports'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_sendrecv_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl
corenet_udp_send_all_reserved_ports($1)
corenet_udp_receive_all_reserved_ports($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind TCP sockets to all reserved ports.
##
##
##
## The type of the process to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind UDP sockets to all reserved ports.
##
##
##
## The type of the process to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to reserved ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_connect_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_reserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## all ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl
')
########################################
##
## Read and write the TUN/TAP virtual network device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_rw_tun_tap_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_rw_tun_tap_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_rw_tun_tap_dev'($*)) dnl
')
########################################
##
## Getattr the point-to-point device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_getattr_ppp_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_getattr_ppp_dev'($*)) dnl
gen_require(`
type ppp_device_t;
')
allow $1 ppp_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_getattr_ppp_dev'($*)) dnl
')
########################################
##
## Read and write the point-to-point device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_rw_ppp_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_rw_ppp_dev'($*)) dnl
gen_require(`
type ppp_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 ppp_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_rw_ppp_dev'($*)) dnl
')
########################################
##
## Bind TCP sockets to all RPC ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind TCP sockets to all RPC ports.
##
##
##
## The type of the process to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all RPC ports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_udp_bind_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind UDP sockets to all RPC ports.
##
##
##
## The type of the process to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_rpc_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Send and receive messages on a
## non-encrypted (no IPSEC) network
## session.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_non_ipsec_sendrecv',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_non_ipsec_sendrecv'($*)) dnl
kernel_sendrecv_unlabeled_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_non_ipsec_sendrecv'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## messages on a non-encrypted (no IPSEC) network
## session.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_non_ipsec_sendrecv',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl
kernel_dontaudit_sendrecv_unlabeled_association($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl
')
########################################
##
## Receive TCP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_recv_netlabel'($*)) dnl
kernel_tcp_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_recv_netlabel'($*)) dnl
')
########################################
##
## Receive packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_all_recvfrom_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_all_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl
')
########################################
##
## Receive UDP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_recv_netlabel'($*)) dnl
kernel_udp_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_recv_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recv_netlabel'($*)) dnl
kernel_dontaudit_udp_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recv_netlabel'($*)) dnl
')
########################################
##
## Receive Raw IP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_recv_netlabel'($*)) dnl
kernel_raw_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_recv_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_raw_recv_netlabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recv_netlabel'($*)) dnl
kernel_dontaudit_raw_recvfrom_unlabeled($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recv_netlabel'($*)) dnl
')
########################################
##
## Send generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_generic_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_generic_client_packets'($*)) dnl
')
########################################
##
## Receive generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_generic_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_generic_client_packets'($*)) dnl
')
########################################
##
## Send and receive generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_generic_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_client_packets'($*)) dnl
corenet_send_generic_client_packets($1)
corenet_receive_generic_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to the generic client packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_generic_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_client_packets'($*)) dnl
')
########################################
##
## Send generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_generic_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_generic_server_packets'($*)) dnl
')
########################################
##
## Receive generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_generic_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_generic_server_packets'($*)) dnl
')
########################################
##
## Send and receive generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_generic_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_server_packets'($*)) dnl
corenet_send_generic_server_packets($1)
corenet_receive_generic_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to the generic server packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_generic_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_server_packets'($*)) dnl
')
########################################
##
## Send and receive unlabeled packets.
##
##
##
## Send and receive unlabeled packets.
## These packets do not match any netfilter
## SECMARK rules.
##
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_unlabeled_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_unlabeled_packets'($*)) dnl
kernel_sendrecv_unlabeled_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_unlabeled_packets'($*)) dnl
')
########################################
##
## Receive packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_all_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_unlabeled'($*)) dnl
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_sendrecv_unlabeled_association($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive TCP packets from an unlabled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_unlabeled'($*)) dnl
kernel_tcp_recvfrom_unlabeled($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_sendrecv_unlabeled_association($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Send all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_client_packets'($*)) dnl
')
########################################
##
## Receive all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_client_packets'($*)) dnl
')
########################################
##
## Send and receive all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_client_packets'($*)) dnl
corenet_send_all_client_packets($1)
corenet_receive_all_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to any client packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_client_packets'($*)) dnl
')
########################################
##
## Send all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_server_packets'($*)) dnl
')
########################################
##
## Receive all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_server_packets'($*)) dnl
')
########################################
##
## Send and receive all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_server_packets'($*)) dnl
corenet_send_all_server_packets($1)
corenet_receive_all_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to any server packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_server_packets'($*)) dnl
')
########################################
##
## Send all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_packets'($*)) dnl
')
########################################
##
## Receive all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_packets'($*)) dnl
')
########################################
##
## Send and receive all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_packets'($*)) dnl
corenet_send_all_packets($1)
corenet_receive_all_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_packets'($*)) dnl
')
########################################
##
## Relabel packets to any packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_packets'($*)) dnl
')
########################################
##
## Unconfined access to network objects.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_unconfined'($*)) dnl
gen_require(`
attribute corenet_unconfined_type;
')
typeattribute $1 corenet_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_unconfined'($*)) dnl
')
########################################
##
## Do not audit attepts to bind UDP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports greater than 1024.
##
##
##
## The type of the process performing this action.
##
##
#
define(`corenet_tcp_bind_all_unreserved_ports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_unreserved_ports'($*)) dnl
gen_require(`
attribute port_type, reserved_port_type;
')
allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_unreserved_ports'($*)) dnl
')
########################################
##
## Define type to be a network port type
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_port'($*)) dnl
gen_require(`
attribute port_type;
')
typeattribute $1 port_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_port'($*)) dnl
')
########################################
##
## Define network type to be a reserved port (less than 1024)
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_reserved_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_reserved_port'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
typeattribute $1 reserved_port_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_reserved_port'($*)) dnl
')
########################################
##
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_rpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_rpc_port'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
typeattribute $1 rpc_port_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_rpc_port'($*)) dnl
')
#
# shiftn(num,list...)
#
# shift the list num times
#
########################################
#
# Network Interface generated macros
#
########################################
########################################
#
# Network node generated macros
#
########################################
########################################
#
# Network port generated macros
#
########################################
#
# create_netif_*_interfaces(linux_interfacename)
#
#
# network_interface(linux_interfacename,mls_sensitivity)
#
#
# create_node_*_interfaces(node_name)
#
#
# network_node(node_name,mls_sensitivity,address,netmask)
#
# These next three macros have formatting, and should not me indented
#
# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
# (these wrap create_port_interfaces to handle attributes and types)
#
# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
#
#
# network_packet(packet_name)
#
########################################
##
## Send and receive TCP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_bos_port'($*)) dnl
corenet_udp_send_afs_bos_port($1)
corenet_udp_receive_afs_bos_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl
corenet_dontaudit_udp_send_afs_bos_port($1)
corenet_dontaudit_udp_receive_afs_bos_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_bos_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_bos_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_bos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_bos_port'($*)) dnl
')
########################################
##
## Send afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_bos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
dontaudit $1 afs_bos_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
dontaudit $1 afs_bos_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_client_packets'($*)) dnl
corenet_send_afs_bos_client_packets($1)
corenet_receive_afs_bos_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_bos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl
corenet_dontaudit_send_afs_bos_client_packets($1)
corenet_dontaudit_receive_afs_bos_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_bos_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_bos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Send afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_bos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
dontaudit $1 afs_bos_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
dontaudit $1 afs_bos_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_server_packets'($*)) dnl
corenet_send_afs_bos_server_packets($1)
corenet_receive_afs_bos_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_bos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl
corenet_dontaudit_send_afs_bos_server_packets($1)
corenet_dontaudit_receive_afs_bos_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_bos_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_bos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_fs_port'($*)) dnl
corenet_udp_send_afs_fs_port($1)
corenet_udp_receive_afs_fs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl
corenet_dontaudit_udp_send_afs_fs_port($1)
corenet_dontaudit_udp_receive_afs_fs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_fs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_fs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_fs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_fs_port'($*)) dnl
')
########################################
##
## Send afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_fs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
dontaudit $1 afs_fs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
dontaudit $1 afs_fs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_client_packets'($*)) dnl
corenet_send_afs_fs_client_packets($1)
corenet_receive_afs_fs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_fs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl
corenet_dontaudit_send_afs_fs_client_packets($1)
corenet_dontaudit_receive_afs_fs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_fs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_fs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Send afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_fs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
dontaudit $1 afs_fs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
dontaudit $1 afs_fs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_server_packets'($*)) dnl
corenet_send_afs_fs_server_packets($1)
corenet_receive_afs_fs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_fs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl
corenet_dontaudit_send_afs_fs_server_packets($1)
corenet_dontaudit_receive_afs_fs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_fs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_fs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_ka_port'($*)) dnl
corenet_udp_send_afs_ka_port($1)
corenet_udp_receive_afs_ka_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl
corenet_dontaudit_udp_send_afs_ka_port($1)
corenet_dontaudit_udp_receive_afs_ka_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_ka_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_ka_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_ka_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_ka_port'($*)) dnl
')
########################################
##
## Send afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_ka_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
dontaudit $1 afs_ka_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
dontaudit $1 afs_ka_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_client_packets'($*)) dnl
corenet_send_afs_ka_client_packets($1)
corenet_receive_afs_ka_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_ka_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl
corenet_dontaudit_send_afs_ka_client_packets($1)
corenet_dontaudit_receive_afs_ka_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_ka_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_ka_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Send afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_ka_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
dontaudit $1 afs_ka_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
dontaudit $1 afs_ka_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_server_packets'($*)) dnl
corenet_send_afs_ka_server_packets($1)
corenet_receive_afs_ka_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_ka_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl
corenet_dontaudit_send_afs_ka_server_packets($1)
corenet_dontaudit_receive_afs_ka_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_ka_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_ka_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_pt_port'($*)) dnl
corenet_udp_send_afs_pt_port($1)
corenet_udp_receive_afs_pt_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl
corenet_dontaudit_udp_send_afs_pt_port($1)
corenet_dontaudit_udp_receive_afs_pt_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_pt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_pt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_pt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_pt_port'($*)) dnl
')
########################################
##
## Send afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_pt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
dontaudit $1 afs_pt_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
dontaudit $1 afs_pt_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_client_packets'($*)) dnl
corenet_send_afs_pt_client_packets($1)
corenet_receive_afs_pt_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_pt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl
corenet_dontaudit_send_afs_pt_client_packets($1)
corenet_dontaudit_receive_afs_pt_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_pt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_pt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Send afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_pt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
dontaudit $1 afs_pt_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
dontaudit $1 afs_pt_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_server_packets'($*)) dnl
corenet_send_afs_pt_server_packets($1)
corenet_receive_afs_pt_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_pt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl
corenet_dontaudit_send_afs_pt_server_packets($1)
corenet_dontaudit_receive_afs_pt_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_pt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_pt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_vl_port'($*)) dnl
corenet_udp_send_afs_vl_port($1)
corenet_udp_receive_afs_vl_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl
corenet_dontaudit_udp_send_afs_vl_port($1)
corenet_dontaudit_udp_receive_afs_vl_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_vl_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_vl_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_vl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_vl_port'($*)) dnl
')
########################################
##
## Send afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_vl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
dontaudit $1 afs_vl_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
dontaudit $1 afs_vl_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_client_packets'($*)) dnl
corenet_send_afs_vl_client_packets($1)
corenet_receive_afs_vl_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_vl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl
corenet_dontaudit_send_afs_vl_client_packets($1)
corenet_dontaudit_receive_afs_vl_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_vl_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_vl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Send afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_vl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
dontaudit $1 afs_vl_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
dontaudit $1 afs_vl_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_server_packets'($*)) dnl
corenet_send_afs_vl_server_packets($1)
corenet_receive_afs_vl_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_vl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl
corenet_dontaudit_send_afs_vl_server_packets($1)
corenet_dontaudit_receive_afs_vl_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_vl_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_vl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_agentx_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_agentx_port'($*)) dnl
corenet_udp_send_agentx_port($1)
corenet_udp_receive_agentx_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl
corenet_dontaudit_udp_send_agentx_port($1)
corenet_dontaudit_udp_receive_agentx_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_agentx_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_agentx_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the agentx port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_agentx_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_agentx_port'($*)) dnl
')
########################################
##
## Send agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send agentx_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
dontaudit $1 agentx_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_client_packets'($*)) dnl
')
########################################
##
## Receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
dontaudit $1 agentx_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl
')
########################################
##
## Send and receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_client_packets'($*)) dnl
corenet_send_agentx_client_packets($1)
corenet_receive_agentx_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive agentx_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl
corenet_dontaudit_send_agentx_client_packets($1)
corenet_dontaudit_receive_agentx_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to agentx_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_agentx_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_client_packets'($*)) dnl
')
########################################
##
## Send agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send agentx_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
dontaudit $1 agentx_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_server_packets'($*)) dnl
')
########################################
##
## Receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
dontaudit $1 agentx_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl
')
########################################
##
## Send and receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_server_packets'($*)) dnl
corenet_send_agentx_server_packets($1)
corenet_receive_agentx_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive agentx_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl
corenet_dontaudit_send_agentx_server_packets($1)
corenet_dontaudit_receive_agentx_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to agentx_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_agentx_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amanda_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amanda_port'($*)) dnl
corenet_udp_send_amanda_port($1)
corenet_udp_receive_amanda_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl
corenet_dontaudit_udp_send_amanda_port($1)
corenet_dontaudit_udp_receive_amanda_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amanda_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amanda_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amanda port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amanda_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amanda_port'($*)) dnl
')
########################################
##
## Send amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amanda_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
dontaudit $1 amanda_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_client_packets'($*)) dnl
')
########################################
##
## Receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
dontaudit $1 amanda_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl
')
########################################
##
## Send and receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_client_packets'($*)) dnl
corenet_send_amanda_client_packets($1)
corenet_receive_amanda_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amanda_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl
corenet_dontaudit_send_amanda_client_packets($1)
corenet_dontaudit_receive_amanda_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amanda_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amanda_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_client_packets'($*)) dnl
')
########################################
##
## Send amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amanda_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
dontaudit $1 amanda_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_server_packets'($*)) dnl
')
########################################
##
## Receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
dontaudit $1 amanda_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl
')
########################################
##
## Send and receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_server_packets'($*)) dnl
corenet_send_amanda_server_packets($1)
corenet_receive_amanda_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amanda_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl
corenet_dontaudit_send_amanda_server_packets($1)
corenet_dontaudit_receive_amanda_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amanda_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amanda_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl
corenet_udp_send_amavisd_recv_port($1)
corenet_udp_receive_amavisd_recv_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl
corenet_dontaudit_udp_send_amavisd_recv_port($1)
corenet_dontaudit_udp_receive_amavisd_recv_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_recv_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_recv_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amavisd_recv_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_recv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
dontaudit $1 amavisd_recv_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
dontaudit $1 amavisd_recv_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl
corenet_send_amavisd_recv_client_packets($1)
corenet_receive_amavisd_recv_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_recv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl
corenet_dontaudit_send_amavisd_recv_client_packets($1)
corenet_dontaudit_receive_amavisd_recv_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_recv_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_recv_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Send amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_recv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
dontaudit $1 amavisd_recv_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
dontaudit $1 amavisd_recv_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl
corenet_send_amavisd_recv_server_packets($1)
corenet_receive_amavisd_recv_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_recv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl
corenet_dontaudit_send_amavisd_recv_server_packets($1)
corenet_dontaudit_receive_amavisd_recv_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_recv_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_recv_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl
corenet_udp_send_amavisd_send_port($1)
corenet_udp_receive_amavisd_send_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl
corenet_dontaudit_udp_send_amavisd_send_port($1)
corenet_dontaudit_udp_receive_amavisd_send_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_send_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_send_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amavisd_send_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_send_port'($*)) dnl
')
########################################
##
## Send amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_send_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
dontaudit $1 amavisd_send_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
dontaudit $1 amavisd_send_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl
corenet_send_amavisd_send_client_packets($1)
corenet_receive_amavisd_send_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_send_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl
corenet_dontaudit_send_amavisd_send_client_packets($1)
corenet_dontaudit_receive_amavisd_send_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_send_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_send_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Send amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_send_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
dontaudit $1 amavisd_send_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
dontaudit $1 amavisd_send_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl
corenet_send_amavisd_send_server_packets($1)
corenet_receive_amavisd_send_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_send_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl
corenet_dontaudit_send_amavisd_send_server_packets($1)
corenet_dontaudit_receive_amavisd_send_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_send_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_send_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apcupsd_port'($*)) dnl
corenet_udp_send_apcupsd_port($1)
corenet_udp_receive_apcupsd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl
corenet_dontaudit_udp_send_apcupsd_port($1)
corenet_dontaudit_udp_receive_apcupsd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apcupsd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apcupsd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_apcupsd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apcupsd_port'($*)) dnl
')
########################################
##
## Send apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apcupsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
dontaudit $1 apcupsd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
dontaudit $1 apcupsd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Send and receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_client_packets'($*)) dnl
corenet_send_apcupsd_client_packets($1)
corenet_receive_apcupsd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apcupsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl
corenet_dontaudit_send_apcupsd_client_packets($1)
corenet_dontaudit_receive_apcupsd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to apcupsd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apcupsd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Send apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apcupsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
dontaudit $1 apcupsd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
dontaudit $1 apcupsd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_server_packets'($*)) dnl
corenet_send_apcupsd_server_packets($1)
corenet_receive_apcupsd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apcupsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl
corenet_dontaudit_send_apcupsd_server_packets($1)
corenet_dontaudit_receive_apcupsd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to apcupsd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apcupsd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_asterisk_port'($*)) dnl
corenet_udp_send_asterisk_port($1)
corenet_udp_receive_asterisk_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl
corenet_dontaudit_udp_send_asterisk_port($1)
corenet_dontaudit_udp_receive_asterisk_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_asterisk_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_asterisk_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the asterisk port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_asterisk_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_asterisk_port'($*)) dnl
')
########################################
##
## Send asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send asterisk_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
dontaudit $1 asterisk_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl
')
########################################
##
## Receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
dontaudit $1 asterisk_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl
')
########################################
##
## Send and receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_client_packets'($*)) dnl
corenet_send_asterisk_client_packets($1)
corenet_receive_asterisk_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive asterisk_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl
corenet_dontaudit_send_asterisk_client_packets($1)
corenet_dontaudit_receive_asterisk_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to asterisk_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_asterisk_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_client_packets'($*)) dnl
')
########################################
##
## Send asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send asterisk_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
dontaudit $1 asterisk_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl
')
########################################
##
## Receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
dontaudit $1 asterisk_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl
')
########################################
##
## Send and receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_server_packets'($*)) dnl
corenet_send_asterisk_server_packets($1)
corenet_receive_asterisk_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive asterisk_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl
corenet_dontaudit_send_asterisk_server_packets($1)
corenet_dontaudit_receive_asterisk_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to asterisk_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_asterisk_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_audit_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_audit_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_audit_port'($*)) dnl
corenet_udp_send_audit_port($1)
corenet_udp_receive_audit_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl
corenet_dontaudit_udp_send_audit_port($1)
corenet_dontaudit_udp_receive_audit_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_audit_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_audit_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the audit port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_audit_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_audit_port'($*)) dnl
')
########################################
##
## Send audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send audit_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
dontaudit $1 audit_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_client_packets'($*)) dnl
')
########################################
##
## Receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
dontaudit $1 audit_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_client_packets'($*)) dnl
')
########################################
##
## Send and receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_client_packets'($*)) dnl
corenet_send_audit_client_packets($1)
corenet_receive_audit_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive audit_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl
corenet_dontaudit_send_audit_client_packets($1)
corenet_dontaudit_receive_audit_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to audit_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_audit_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_client_packets'($*)) dnl
')
########################################
##
## Send audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send audit_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
dontaudit $1 audit_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_server_packets'($*)) dnl
')
########################################
##
## Receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
dontaudit $1 audit_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_server_packets'($*)) dnl
')
########################################
##
## Send and receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_server_packets'($*)) dnl
corenet_send_audit_server_packets($1)
corenet_receive_audit_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive audit_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl
corenet_dontaudit_send_audit_server_packets($1)
corenet_dontaudit_receive_audit_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to audit_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_audit_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_auth_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_auth_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_auth_port'($*)) dnl
corenet_udp_send_auth_port($1)
corenet_udp_receive_auth_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl
corenet_dontaudit_udp_send_auth_port($1)
corenet_dontaudit_udp_receive_auth_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_auth_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_auth_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the auth port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_auth_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_auth_port'($*)) dnl
')
########################################
##
## Send auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send auth_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
dontaudit $1 auth_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_client_packets'($*)) dnl
')
########################################
##
## Receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
dontaudit $1 auth_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_client_packets'($*)) dnl
')
########################################
##
## Send and receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_client_packets'($*)) dnl
corenet_send_auth_client_packets($1)
corenet_receive_auth_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive auth_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl
corenet_dontaudit_send_auth_client_packets($1)
corenet_dontaudit_receive_auth_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to auth_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_auth_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_client_packets'($*)) dnl
')
########################################
##
## Send auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send auth_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
dontaudit $1 auth_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_server_packets'($*)) dnl
')
########################################
##
## Receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
dontaudit $1 auth_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_server_packets'($*)) dnl
')
########################################
##
## Send and receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_server_packets'($*)) dnl
corenet_send_auth_server_packets($1)
corenet_receive_auth_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive auth_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl
corenet_dontaudit_send_auth_server_packets($1)
corenet_dontaudit_receive_auth_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to auth_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_auth_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bgp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bgp_port'($*)) dnl
corenet_udp_send_bgp_port($1)
corenet_udp_receive_bgp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl
corenet_dontaudit_udp_send_bgp_port($1)
corenet_dontaudit_udp_receive_bgp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bgp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bgp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bgp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bgp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bgp_port'($*)) dnl
')
########################################
##
## Send bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bgp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
dontaudit $1 bgp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_client_packets'($*)) dnl
')
########################################
##
## Receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
dontaudit $1 bgp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl
')
########################################
##
## Send and receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_client_packets'($*)) dnl
corenet_send_bgp_client_packets($1)
corenet_receive_bgp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bgp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl
corenet_dontaudit_send_bgp_client_packets($1)
corenet_dontaudit_receive_bgp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bgp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bgp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_client_packets'($*)) dnl
')
########################################
##
## Send bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bgp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
dontaudit $1 bgp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_server_packets'($*)) dnl
')
########################################
##
## Receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
dontaudit $1 bgp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl
')
########################################
##
## Send and receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_server_packets'($*)) dnl
corenet_send_bgp_server_packets($1)
corenet_receive_bgp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bgp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl
corenet_dontaudit_send_bgp_server_packets($1)
corenet_dontaudit_receive_bgp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bgp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bgp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clamd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clamd_port'($*)) dnl
corenet_udp_send_clamd_port($1)
corenet_udp_receive_clamd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl
corenet_dontaudit_udp_send_clamd_port($1)
corenet_dontaudit_udp_receive_clamd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clamd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clamd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the clamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_clamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clamd_port'($*)) dnl
')
########################################
##
## Send clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
dontaudit $1 clamd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_client_packets'($*)) dnl
')
########################################
##
## Receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
dontaudit $1 clamd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl
')
########################################
##
## Send and receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_client_packets'($*)) dnl
corenet_send_clamd_client_packets($1)
corenet_receive_clamd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl
corenet_dontaudit_send_clamd_client_packets($1)
corenet_dontaudit_receive_clamd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to clamd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_client_packets'($*)) dnl
')
########################################
##
## Send clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
dontaudit $1 clamd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_server_packets'($*)) dnl
')
########################################
##
## Receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
dontaudit $1 clamd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_server_packets'($*)) dnl
corenet_send_clamd_server_packets($1)
corenet_receive_clamd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl
corenet_dontaudit_send_clamd_server_packets($1)
corenet_dontaudit_receive_clamd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to clamd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clockspeed_port'($*)) dnl
corenet_udp_send_clockspeed_port($1)
corenet_udp_receive_clockspeed_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl
corenet_dontaudit_udp_send_clockspeed_port($1)
corenet_dontaudit_udp_receive_clockspeed_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clockspeed_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clockspeed_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_clockspeed_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clockspeed_port'($*)) dnl
')
########################################
##
## Send clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clockspeed_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
dontaudit $1 clockspeed_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
dontaudit $1 clockspeed_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Send and receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_client_packets'($*)) dnl
corenet_send_clockspeed_client_packets($1)
corenet_receive_clockspeed_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clockspeed_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl
corenet_dontaudit_send_clockspeed_client_packets($1)
corenet_dontaudit_receive_clockspeed_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to clockspeed_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clockspeed_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Send clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clockspeed_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
dontaudit $1 clockspeed_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
dontaudit $1 clockspeed_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Send and receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_server_packets'($*)) dnl
corenet_send_clockspeed_server_packets($1)
corenet_receive_clockspeed_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clockspeed_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl
corenet_dontaudit_send_clockspeed_server_packets($1)
corenet_dontaudit_receive_clockspeed_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to clockspeed_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clockspeed_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cluster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cluster_port'($*)) dnl
corenet_udp_send_cluster_port($1)
corenet_udp_receive_cluster_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl
corenet_dontaudit_udp_send_cluster_port($1)
corenet_dontaudit_udp_receive_cluster_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cluster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cluster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cluster_port'($*)) dnl
')
########################################
##
## Send cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
dontaudit $1 cluster_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_client_packets'($*)) dnl
')
########################################
##
## Receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
dontaudit $1 cluster_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl
')
########################################
##
## Send and receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_client_packets'($*)) dnl
corenet_send_cluster_client_packets($1)
corenet_receive_cluster_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl
corenet_dontaudit_send_cluster_client_packets($1)
corenet_dontaudit_receive_cluster_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cluster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_client_packets'($*)) dnl
')
########################################
##
## Send cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
dontaudit $1 cluster_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_server_packets'($*)) dnl
')
########################################
##
## Receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
dontaudit $1 cluster_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_server_packets'($*)) dnl
corenet_send_cluster_server_packets($1)
corenet_receive_cluster_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl
corenet_dontaudit_send_cluster_server_packets($1)
corenet_dontaudit_receive_cluster_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cluster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_comsat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_comsat_port'($*)) dnl
corenet_udp_send_comsat_port($1)
corenet_udp_receive_comsat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl
corenet_dontaudit_udp_send_comsat_port($1)
corenet_dontaudit_udp_receive_comsat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_comsat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_comsat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the comsat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_comsat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_comsat_port'($*)) dnl
')
########################################
##
## Send comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send comsat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
dontaudit $1 comsat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_client_packets'($*)) dnl
')
########################################
##
## Receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
dontaudit $1 comsat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl
')
########################################
##
## Send and receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_client_packets'($*)) dnl
corenet_send_comsat_client_packets($1)
corenet_receive_comsat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive comsat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl
corenet_dontaudit_send_comsat_client_packets($1)
corenet_dontaudit_receive_comsat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to comsat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_comsat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_client_packets'($*)) dnl
')
########################################
##
## Send comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send comsat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
dontaudit $1 comsat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_server_packets'($*)) dnl
')
########################################
##
## Receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
dontaudit $1 comsat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl
')
########################################
##
## Send and receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_server_packets'($*)) dnl
corenet_send_comsat_server_packets($1)
corenet_receive_comsat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive comsat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl
corenet_dontaudit_send_comsat_server_packets($1)
corenet_dontaudit_receive_comsat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to comsat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_comsat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cvs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cvs_port'($*)) dnl
corenet_udp_send_cvs_port($1)
corenet_udp_receive_cvs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl
corenet_dontaudit_udp_send_cvs_port($1)
corenet_dontaudit_udp_receive_cvs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cvs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cvs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cvs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cvs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cvs_port'($*)) dnl
')
########################################
##
## Send cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cvs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
dontaudit $1 cvs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_client_packets'($*)) dnl
')
########################################
##
## Receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
dontaudit $1 cvs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl
')
########################################
##
## Send and receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_client_packets'($*)) dnl
corenet_send_cvs_client_packets($1)
corenet_receive_cvs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cvs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl
corenet_dontaudit_send_cvs_client_packets($1)
corenet_dontaudit_receive_cvs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cvs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cvs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_client_packets'($*)) dnl
')
########################################
##
## Send cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cvs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
dontaudit $1 cvs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_server_packets'($*)) dnl
')
########################################
##
## Receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
dontaudit $1 cvs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl
')
########################################
##
## Send and receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_server_packets'($*)) dnl
corenet_send_cvs_server_packets($1)
corenet_receive_cvs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cvs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl
corenet_dontaudit_send_cvs_server_packets($1)
corenet_dontaudit_receive_cvs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cvs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cvs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dcc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dcc_port'($*)) dnl
corenet_udp_send_dcc_port($1)
corenet_udp_receive_dcc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl
corenet_dontaudit_udp_send_dcc_port($1)
corenet_dontaudit_udp_receive_dcc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dcc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dcc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dcc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dcc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dcc_port'($*)) dnl
')
########################################
##
## Send dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
dontaudit $1 dcc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_client_packets'($*)) dnl
')
########################################
##
## Receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
dontaudit $1 dcc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl
')
########################################
##
## Send and receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_client_packets'($*)) dnl
corenet_send_dcc_client_packets($1)
corenet_receive_dcc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl
corenet_dontaudit_send_dcc_client_packets($1)
corenet_dontaudit_receive_dcc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dcc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dcc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_client_packets'($*)) dnl
')
########################################
##
## Send dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
dontaudit $1 dcc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_server_packets'($*)) dnl
')
########################################
##
## Receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
dontaudit $1 dcc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_server_packets'($*)) dnl
corenet_send_dcc_server_packets($1)
corenet_receive_dcc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl
corenet_dontaudit_send_dcc_server_packets($1)
corenet_dontaudit_receive_dcc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dcc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dcc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dbskkd_port'($*)) dnl
corenet_udp_send_dbskkd_port($1)
corenet_udp_receive_dbskkd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl
corenet_dontaudit_udp_send_dbskkd_port($1)
corenet_dontaudit_udp_receive_dbskkd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dbskkd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dbskkd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dbskkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dbskkd_port'($*)) dnl
')
########################################
##
## Send dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbskkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
dontaudit $1 dbskkd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
dontaudit $1 dbskkd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Send and receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_client_packets'($*)) dnl
corenet_send_dbskkd_client_packets($1)
corenet_receive_dbskkd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dbskkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl
corenet_dontaudit_send_dbskkd_client_packets($1)
corenet_dontaudit_receive_dbskkd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dbskkd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dbskkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Send dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbskkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
dontaudit $1 dbskkd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
dontaudit $1 dbskkd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_server_packets'($*)) dnl
corenet_send_dbskkd_server_packets($1)
corenet_receive_dbskkd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dbskkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl
corenet_dontaudit_send_dbskkd_server_packets($1)
corenet_dontaudit_receive_dbskkd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dbskkd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dbskkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpc_port'($*)) dnl
corenet_udp_send_dhcpc_port($1)
corenet_udp_receive_dhcpc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl
corenet_dontaudit_udp_send_dhcpc_port($1)
corenet_dontaudit_udp_receive_dhcpc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dhcpc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpc_port'($*)) dnl
')
########################################
##
## Send dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
dontaudit $1 dhcpc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
dontaudit $1 dhcpc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_client_packets'($*)) dnl
corenet_send_dhcpc_client_packets($1)
corenet_receive_dhcpc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl
corenet_dontaudit_send_dhcpc_client_packets($1)
corenet_dontaudit_receive_dhcpc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Send dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
dontaudit $1 dhcpc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
dontaudit $1 dhcpc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_server_packets'($*)) dnl
corenet_send_dhcpc_server_packets($1)
corenet_receive_dhcpc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl
corenet_dontaudit_send_dhcpc_server_packets($1)
corenet_dontaudit_receive_dhcpc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpd_port'($*)) dnl
corenet_udp_send_dhcpd_port($1)
corenet_udp_receive_dhcpd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl
corenet_dontaudit_udp_send_dhcpd_port($1)
corenet_dontaudit_udp_receive_dhcpd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dhcpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpd_port'($*)) dnl
')
########################################
##
## Send dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
dontaudit $1 dhcpd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
dontaudit $1 dhcpd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_client_packets'($*)) dnl
corenet_send_dhcpd_client_packets($1)
corenet_receive_dhcpd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl
corenet_dontaudit_send_dhcpd_client_packets($1)
corenet_dontaudit_receive_dhcpd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Send dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
dontaudit $1 dhcpd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
dontaudit $1 dhcpd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_server_packets'($*)) dnl
corenet_send_dhcpd_server_packets($1)
corenet_receive_dhcpd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl
corenet_dontaudit_send_dhcpd_server_packets($1)
corenet_dontaudit_receive_dhcpd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dict_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dict_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dict_port'($*)) dnl
corenet_udp_send_dict_port($1)
corenet_udp_receive_dict_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl
corenet_dontaudit_udp_send_dict_port($1)
corenet_dontaudit_udp_receive_dict_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dict_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dict_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dict port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dict_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dict_port'($*)) dnl
')
########################################
##
## Send dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dict_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
dontaudit $1 dict_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_client_packets'($*)) dnl
')
########################################
##
## Receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
dontaudit $1 dict_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_client_packets'($*)) dnl
')
########################################
##
## Send and receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_client_packets'($*)) dnl
corenet_send_dict_client_packets($1)
corenet_receive_dict_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dict_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl
corenet_dontaudit_send_dict_client_packets($1)
corenet_dontaudit_receive_dict_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dict_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dict_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_client_packets'($*)) dnl
')
########################################
##
## Send dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dict_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
dontaudit $1 dict_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_server_packets'($*)) dnl
')
########################################
##
## Receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
dontaudit $1 dict_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_server_packets'($*)) dnl
')
########################################
##
## Send and receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_server_packets'($*)) dnl
corenet_send_dict_server_packets($1)
corenet_receive_dict_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dict_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl
corenet_dontaudit_send_dict_server_packets($1)
corenet_dontaudit_receive_dict_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dict_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dict_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_distccd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_distccd_port'($*)) dnl
corenet_udp_send_distccd_port($1)
corenet_udp_receive_distccd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl
corenet_dontaudit_udp_send_distccd_port($1)
corenet_dontaudit_udp_receive_distccd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_distccd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_distccd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the distccd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_distccd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_distccd_port'($*)) dnl
')
########################################
##
## Send distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send distccd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
dontaudit $1 distccd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_client_packets'($*)) dnl
')
########################################
##
## Receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
dontaudit $1 distccd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl
')
########################################
##
## Send and receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_client_packets'($*)) dnl
corenet_send_distccd_client_packets($1)
corenet_receive_distccd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive distccd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl
corenet_dontaudit_send_distccd_client_packets($1)
corenet_dontaudit_receive_distccd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to distccd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_distccd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_client_packets'($*)) dnl
')
########################################
##
## Send distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send distccd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
dontaudit $1 distccd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_server_packets'($*)) dnl
')
########################################
##
## Receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
dontaudit $1 distccd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl
')
########################################
##
## Send and receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_server_packets'($*)) dnl
corenet_send_distccd_server_packets($1)
corenet_receive_distccd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive distccd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl
corenet_dontaudit_send_distccd_server_packets($1)
corenet_dontaudit_receive_distccd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to distccd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_distccd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dns_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dns_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dns_port'($*)) dnl
corenet_udp_send_dns_port($1)
corenet_udp_receive_dns_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl
corenet_dontaudit_udp_send_dns_port($1)
corenet_dontaudit_udp_receive_dns_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dns_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dns_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dns_port'($*)) dnl
')
########################################
##
## Send dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
dontaudit $1 dns_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_client_packets'($*)) dnl
')
########################################
##
## Receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
dontaudit $1 dns_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_client_packets'($*)) dnl
')
########################################
##
## Send and receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_client_packets'($*)) dnl
corenet_send_dns_client_packets($1)
corenet_receive_dns_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl
corenet_dontaudit_send_dns_client_packets($1)
corenet_dontaudit_receive_dns_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dns_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_client_packets'($*)) dnl
')
########################################
##
## Send dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
dontaudit $1 dns_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_server_packets'($*)) dnl
')
########################################
##
## Receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
dontaudit $1 dns_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_server_packets'($*)) dnl
')
########################################
##
## Send and receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_server_packets'($*)) dnl
corenet_send_dns_server_packets($1)
corenet_receive_dns_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl
corenet_dontaudit_send_dns_server_packets($1)
corenet_dontaudit_receive_dns_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dns_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fingerd_port'($*)) dnl
corenet_udp_send_fingerd_port($1)
corenet_udp_receive_fingerd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl
corenet_dontaudit_udp_send_fingerd_port($1)
corenet_dontaudit_udp_receive_fingerd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fingerd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fingerd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the fingerd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_fingerd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fingerd_port'($*)) dnl
')
########################################
##
## Send fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fingerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
dontaudit $1 fingerd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl
')
########################################
##
## Receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
dontaudit $1 fingerd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl
')
########################################
##
## Send and receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_client_packets'($*)) dnl
corenet_send_fingerd_client_packets($1)
corenet_receive_fingerd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fingerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl
corenet_dontaudit_send_fingerd_client_packets($1)
corenet_dontaudit_receive_fingerd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to fingerd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fingerd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_client_packets'($*)) dnl
')
########################################
##
## Send fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fingerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
dontaudit $1 fingerd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl
')
########################################
##
## Receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
dontaudit $1 fingerd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_server_packets'($*)) dnl
corenet_send_fingerd_server_packets($1)
corenet_receive_fingerd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fingerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl
corenet_dontaudit_send_fingerd_server_packets($1)
corenet_dontaudit_receive_fingerd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to fingerd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fingerd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_data_port'($*)) dnl
corenet_udp_send_ftp_data_port($1)
corenet_udp_receive_ftp_data_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl
corenet_dontaudit_udp_send_ftp_data_port($1)
corenet_dontaudit_udp_receive_ftp_data_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_data_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_data_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ftp_data_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_data_port'($*)) dnl
')
########################################
##
## Send ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_data_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
dontaudit $1 ftp_data_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
dontaudit $1 ftp_data_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_client_packets'($*)) dnl
corenet_send_ftp_data_client_packets($1)
corenet_receive_ftp_data_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_data_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl
corenet_dontaudit_send_ftp_data_client_packets($1)
corenet_dontaudit_receive_ftp_data_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_data_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_data_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Send ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_data_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
dontaudit $1 ftp_data_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
dontaudit $1 ftp_data_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_server_packets'($*)) dnl
corenet_send_ftp_data_server_packets($1)
corenet_receive_ftp_data_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_data_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl
corenet_dontaudit_send_ftp_data_server_packets($1)
corenet_dontaudit_receive_ftp_data_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_data_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_data_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_port'($*)) dnl
corenet_udp_send_ftp_port($1)
corenet_udp_receive_ftp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl
corenet_dontaudit_udp_send_ftp_port($1)
corenet_dontaudit_udp_receive_ftp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_port'($*)) dnl
')
########################################
##
## Send ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
dontaudit $1 ftp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_client_packets'($*)) dnl
')
########################################
##
## Receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
dontaudit $1 ftp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_client_packets'($*)) dnl
corenet_send_ftp_client_packets($1)
corenet_receive_ftp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl
corenet_dontaudit_send_ftp_client_packets($1)
corenet_dontaudit_receive_ftp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_client_packets'($*)) dnl
')
########################################
##
## Send ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
dontaudit $1 ftp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_server_packets'($*)) dnl
')
########################################
##
## Receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
dontaudit $1 ftp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_server_packets'($*)) dnl
corenet_send_ftp_server_packets($1)
corenet_receive_ftp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl
corenet_dontaudit_send_ftp_server_packets($1)
corenet_dontaudit_receive_ftp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl
corenet_udp_send_gatekeeper_port($1)
corenet_udp_receive_gatekeeper_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl
corenet_dontaudit_udp_send_gatekeeper_port($1)
corenet_dontaudit_udp_receive_gatekeeper_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gatekeeper_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gatekeeper_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gatekeeper_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gatekeeper_port'($*)) dnl
')
########################################
##
## Send gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gatekeeper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
dontaudit $1 gatekeeper_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
dontaudit $1 gatekeeper_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Send and receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl
corenet_send_gatekeeper_client_packets($1)
corenet_receive_gatekeeper_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gatekeeper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl
corenet_dontaudit_send_gatekeeper_client_packets($1)
corenet_dontaudit_receive_gatekeeper_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gatekeeper_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gatekeeper_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Send gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gatekeeper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
dontaudit $1 gatekeeper_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
dontaudit $1 gatekeeper_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Send and receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl
corenet_send_gatekeeper_server_packets($1)
corenet_receive_gatekeeper_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gatekeeper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl
corenet_dontaudit_send_gatekeeper_server_packets($1)
corenet_dontaudit_receive_gatekeeper_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gatekeeper_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gatekeeper_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_giftd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_giftd_port'($*)) dnl
corenet_udp_send_giftd_port($1)
corenet_udp_receive_giftd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl
corenet_dontaudit_udp_send_giftd_port($1)
corenet_dontaudit_udp_receive_giftd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_giftd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_giftd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the giftd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_giftd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_giftd_port'($*)) dnl
')
########################################
##
## Send giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send giftd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
dontaudit $1 giftd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_client_packets'($*)) dnl
')
########################################
##
## Receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
dontaudit $1 giftd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl
')
########################################
##
## Send and receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_client_packets'($*)) dnl
corenet_send_giftd_client_packets($1)
corenet_receive_giftd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive giftd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl
corenet_dontaudit_send_giftd_client_packets($1)
corenet_dontaudit_receive_giftd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to giftd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_giftd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_client_packets'($*)) dnl
')
########################################
##
## Send giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send giftd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
dontaudit $1 giftd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_server_packets'($*)) dnl
')
########################################
##
## Receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
dontaudit $1 giftd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl
')
########################################
##
## Send and receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_server_packets'($*)) dnl
corenet_send_giftd_server_packets($1)
corenet_receive_giftd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive giftd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl
corenet_dontaudit_send_giftd_server_packets($1)
corenet_dontaudit_receive_giftd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to giftd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_giftd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gopher_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gopher_port'($*)) dnl
corenet_udp_send_gopher_port($1)
corenet_udp_receive_gopher_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl
corenet_dontaudit_udp_send_gopher_port($1)
corenet_dontaudit_udp_receive_gopher_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gopher_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gopher_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gopher port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gopher_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gopher_port'($*)) dnl
')
########################################
##
## Send gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gopher_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
dontaudit $1 gopher_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_client_packets'($*)) dnl
')
########################################
##
## Receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
dontaudit $1 gopher_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl
')
########################################
##
## Send and receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_client_packets'($*)) dnl
corenet_send_gopher_client_packets($1)
corenet_receive_gopher_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gopher_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl
corenet_dontaudit_send_gopher_client_packets($1)
corenet_dontaudit_receive_gopher_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gopher_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gopher_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_client_packets'($*)) dnl
')
########################################
##
## Send gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gopher_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
dontaudit $1 gopher_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_server_packets'($*)) dnl
')
########################################
##
## Receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
dontaudit $1 gopher_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl
')
########################################
##
## Send and receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_server_packets'($*)) dnl
corenet_send_gopher_server_packets($1)
corenet_receive_gopher_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gopher_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl
corenet_dontaudit_send_gopher_server_packets($1)
corenet_dontaudit_receive_gopher_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gopher_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gopher_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_cache_port'($*)) dnl
corenet_udp_send_http_cache_port($1)
corenet_udp_receive_http_cache_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl
corenet_dontaudit_udp_send_http_cache_port($1)
corenet_dontaudit_udp_receive_http_cache_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_cache_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_cache_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the http_cache port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_http_cache_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_cache_port'($*)) dnl
')
########################################
##
## Send http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_cache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
dontaudit $1 http_cache_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl
')
########################################
##
## Receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
dontaudit $1 http_cache_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl
')
########################################
##
## Send and receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_client_packets'($*)) dnl
corenet_send_http_cache_client_packets($1)
corenet_receive_http_cache_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_cache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl
corenet_dontaudit_send_http_cache_client_packets($1)
corenet_dontaudit_receive_http_cache_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_cache_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_cache_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_client_packets'($*)) dnl
')
########################################
##
## Send http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_cache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
dontaudit $1 http_cache_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl
')
########################################
##
## Receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
dontaudit $1 http_cache_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl
')
########################################
##
## Send and receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_server_packets'($*)) dnl
corenet_send_http_cache_server_packets($1)
corenet_receive_http_cache_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_cache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl
corenet_dontaudit_send_http_cache_server_packets($1)
corenet_dontaudit_receive_http_cache_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_cache_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_cache_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_server_packets'($*)) dnl
')
# 8118 is for privoxy
########################################
##
## Send and receive TCP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_port'($*)) dnl
corenet_udp_send_http_port($1)
corenet_udp_receive_http_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl
corenet_dontaudit_udp_send_http_port($1)
corenet_dontaudit_udp_receive_http_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_port'($*)) dnl
')
########################################
##
## Send http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
dontaudit $1 http_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_client_packets'($*)) dnl
')
########################################
##
## Receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
dontaudit $1 http_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_client_packets'($*)) dnl
')
########################################
##
## Send and receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_client_packets'($*)) dnl
corenet_send_http_client_packets($1)
corenet_receive_http_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl
corenet_dontaudit_send_http_client_packets($1)
corenet_dontaudit_receive_http_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_client_packets'($*)) dnl
')
########################################
##
## Send http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
dontaudit $1 http_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_server_packets'($*)) dnl
')
########################################
##
## Receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
dontaudit $1 http_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_server_packets'($*)) dnl
corenet_send_http_server_packets($1)
corenet_receive_http_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl
corenet_dontaudit_send_http_server_packets($1)
corenet_dontaudit_receive_http_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_server_packets'($*)) dnl
')
#8443 is mod_nss default port
########################################
##
## Send and receive TCP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_howl_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_howl_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_howl_port'($*)) dnl
corenet_udp_send_howl_port($1)
corenet_udp_receive_howl_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl
corenet_dontaudit_udp_send_howl_port($1)
corenet_dontaudit_udp_receive_howl_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_howl_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_howl_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the howl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_howl_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_howl_port'($*)) dnl
')
########################################
##
## Send howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send howl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
dontaudit $1 howl_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_client_packets'($*)) dnl
')
########################################
##
## Receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
dontaudit $1 howl_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_client_packets'($*)) dnl
')
########################################
##
## Send and receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_client_packets'($*)) dnl
corenet_send_howl_client_packets($1)
corenet_receive_howl_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive howl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl
corenet_dontaudit_send_howl_client_packets($1)
corenet_dontaudit_receive_howl_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to howl_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_howl_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_client_packets'($*)) dnl
')
########################################
##
## Send howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send howl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
dontaudit $1 howl_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_server_packets'($*)) dnl
')
########################################
##
## Receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
dontaudit $1 howl_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_server_packets'($*)) dnl
')
########################################
##
## Send and receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_server_packets'($*)) dnl
corenet_send_howl_server_packets($1)
corenet_receive_howl_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive howl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl
corenet_dontaudit_send_howl_server_packets($1)
corenet_dontaudit_receive_howl_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to howl_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_howl_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hplip_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hplip_port'($*)) dnl
corenet_udp_send_hplip_port($1)
corenet_udp_receive_hplip_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl
corenet_dontaudit_udp_send_hplip_port($1)
corenet_dontaudit_udp_receive_hplip_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hplip_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hplip_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the hplip port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_hplip_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hplip_port'($*)) dnl
')
########################################
##
## Send hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hplip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
dontaudit $1 hplip_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_client_packets'($*)) dnl
')
########################################
##
## Receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
dontaudit $1 hplip_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl
')
########################################
##
## Send and receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_client_packets'($*)) dnl
corenet_send_hplip_client_packets($1)
corenet_receive_hplip_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hplip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl
corenet_dontaudit_send_hplip_client_packets($1)
corenet_dontaudit_receive_hplip_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to hplip_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hplip_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_client_packets'($*)) dnl
')
########################################
##
## Send hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hplip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
dontaudit $1 hplip_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_server_packets'($*)) dnl
')
########################################
##
## Receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
dontaudit $1 hplip_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl
')
########################################
##
## Send and receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_server_packets'($*)) dnl
corenet_send_hplip_server_packets($1)
corenet_receive_hplip_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hplip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl
corenet_dontaudit_send_hplip_server_packets($1)
corenet_dontaudit_receive_hplip_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to hplip_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hplip_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_i18n_input_port'($*)) dnl
corenet_udp_send_i18n_input_port($1)
corenet_udp_receive_i18n_input_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl
corenet_dontaudit_udp_send_i18n_input_port($1)
corenet_dontaudit_udp_receive_i18n_input_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_i18n_input_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_i18n_input_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_i18n_input_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_i18n_input_port'($*)) dnl
')
########################################
##
## Send i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send i18n_input_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
dontaudit $1 i18n_input_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
dontaudit $1 i18n_input_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Send and receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_client_packets'($*)) dnl
corenet_send_i18n_input_client_packets($1)
corenet_receive_i18n_input_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive i18n_input_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl
corenet_dontaudit_send_i18n_input_client_packets($1)
corenet_dontaudit_receive_i18n_input_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to i18n_input_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_i18n_input_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Send i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send i18n_input_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
dontaudit $1 i18n_input_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
dontaudit $1 i18n_input_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Send and receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_server_packets'($*)) dnl
corenet_send_i18n_input_server_packets($1)
corenet_receive_i18n_input_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive i18n_input_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl
corenet_dontaudit_send_i18n_input_server_packets($1)
corenet_dontaudit_receive_i18n_input_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to i18n_input_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_i18n_input_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl
corenet_udp_send_ipsecnat_port($1)
corenet_udp_receive_ipsecnat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl
corenet_dontaudit_udp_send_ipsecnat_port($1)
corenet_dontaudit_udp_receive_ipsecnat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipsecnat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipsecnat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ipsecnat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipsecnat_port'($*)) dnl
')
########################################
##
## Send ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipsecnat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
dontaudit $1 ipsecnat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
dontaudit $1 ipsecnat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Send and receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl
corenet_send_ipsecnat_client_packets($1)
corenet_receive_ipsecnat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipsecnat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl
corenet_dontaudit_send_ipsecnat_client_packets($1)
corenet_dontaudit_receive_ipsecnat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipsecnat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipsecnat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Send ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipsecnat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
dontaudit $1 ipsecnat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
dontaudit $1 ipsecnat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Send and receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl
corenet_send_ipsecnat_server_packets($1)
corenet_receive_ipsecnat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipsecnat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl
corenet_dontaudit_send_ipsecnat_server_packets($1)
corenet_dontaudit_receive_ipsecnat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipsecnat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipsecnat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_imaze_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_imaze_port'($*)) dnl
corenet_udp_send_imaze_port($1)
corenet_udp_receive_imaze_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl
corenet_dontaudit_udp_send_imaze_port($1)
corenet_dontaudit_udp_receive_imaze_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_imaze_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_imaze_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the imaze port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_imaze_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_imaze_port'($*)) dnl
')
########################################
##
## Send imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send imaze_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
dontaudit $1 imaze_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_client_packets'($*)) dnl
')
########################################
##
## Receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
dontaudit $1 imaze_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl
')
########################################
##
## Send and receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_client_packets'($*)) dnl
corenet_send_imaze_client_packets($1)
corenet_receive_imaze_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive imaze_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl
corenet_dontaudit_send_imaze_client_packets($1)
corenet_dontaudit_receive_imaze_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to imaze_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_imaze_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_client_packets'($*)) dnl
')
########################################
##
## Send imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send imaze_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
dontaudit $1 imaze_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_server_packets'($*)) dnl
')
########################################
##
## Receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
dontaudit $1 imaze_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl
')
########################################
##
## Send and receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_server_packets'($*)) dnl
corenet_send_imaze_server_packets($1)
corenet_receive_imaze_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive imaze_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl
corenet_dontaudit_send_imaze_server_packets($1)
corenet_dontaudit_receive_imaze_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to imaze_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_imaze_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_inetd_child_port'($*)) dnl
corenet_udp_send_inetd_child_port($1)
corenet_udp_receive_inetd_child_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl
corenet_dontaudit_udp_send_inetd_child_port($1)
corenet_dontaudit_udp_receive_inetd_child_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_inetd_child_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_inetd_child_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_inetd_child_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_inetd_child_port'($*)) dnl
')
########################################
##
## Send inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send inetd_child_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
dontaudit $1 inetd_child_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
dontaudit $1 inetd_child_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Send and receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_client_packets'($*)) dnl
corenet_send_inetd_child_client_packets($1)
corenet_receive_inetd_child_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive inetd_child_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl
corenet_dontaudit_send_inetd_child_client_packets($1)
corenet_dontaudit_receive_inetd_child_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to inetd_child_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_inetd_child_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Send inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send inetd_child_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
dontaudit $1 inetd_child_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
dontaudit $1 inetd_child_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Send and receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_server_packets'($*)) dnl
corenet_send_inetd_child_server_packets($1)
corenet_receive_inetd_child_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive inetd_child_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl
corenet_dontaudit_send_inetd_child_server_packets($1)
corenet_dontaudit_receive_inetd_child_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to inetd_child_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_inetd_child_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_innd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_innd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_innd_port'($*)) dnl
corenet_udp_send_innd_port($1)
corenet_udp_receive_innd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl
corenet_dontaudit_udp_send_innd_port($1)
corenet_dontaudit_udp_receive_innd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_innd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_innd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the innd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_innd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_innd_port'($*)) dnl
')
########################################
##
## Send innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send innd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
dontaudit $1 innd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_client_packets'($*)) dnl
')
########################################
##
## Receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
dontaudit $1 innd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_client_packets'($*)) dnl
')
########################################
##
## Send and receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_client_packets'($*)) dnl
corenet_send_innd_client_packets($1)
corenet_receive_innd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive innd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl
corenet_dontaudit_send_innd_client_packets($1)
corenet_dontaudit_receive_innd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to innd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_innd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_client_packets'($*)) dnl
')
########################################
##
## Send innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send innd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
dontaudit $1 innd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_server_packets'($*)) dnl
')
########################################
##
## Receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
dontaudit $1 innd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_server_packets'($*)) dnl
')
########################################
##
## Send and receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_server_packets'($*)) dnl
corenet_send_innd_server_packets($1)
corenet_receive_innd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive innd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl
corenet_dontaudit_send_innd_server_packets($1)
corenet_dontaudit_receive_innd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to innd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_innd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipp_port'($*)) dnl
corenet_udp_send_ipp_port($1)
corenet_udp_receive_ipp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl
corenet_dontaudit_udp_send_ipp_port($1)
corenet_dontaudit_udp_receive_ipp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ipp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ipp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipp_port'($*)) dnl
')
########################################
##
## Send ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
dontaudit $1 ipp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_client_packets'($*)) dnl
')
########################################
##
## Receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
dontaudit $1 ipp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_client_packets'($*)) dnl
corenet_send_ipp_client_packets($1)
corenet_receive_ipp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl
corenet_dontaudit_send_ipp_client_packets($1)
corenet_dontaudit_receive_ipp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_client_packets'($*)) dnl
')
########################################
##
## Send ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
dontaudit $1 ipp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_server_packets'($*)) dnl
')
########################################
##
## Receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
dontaudit $1 ipp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_server_packets'($*)) dnl
corenet_send_ipp_server_packets($1)
corenet_receive_ipp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl
corenet_dontaudit_send_ipp_server_packets($1)
corenet_dontaudit_receive_ipp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ircd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ircd_port'($*)) dnl
corenet_udp_send_ircd_port($1)
corenet_udp_receive_ircd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl
corenet_dontaudit_udp_send_ircd_port($1)
corenet_dontaudit_udp_receive_ircd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ircd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ircd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ircd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ircd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ircd_port'($*)) dnl
')
########################################
##
## Send ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ircd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
dontaudit $1 ircd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_client_packets'($*)) dnl
')
########################################
##
## Receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
dontaudit $1 ircd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl
')
########################################
##
## Send and receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_client_packets'($*)) dnl
corenet_send_ircd_client_packets($1)
corenet_receive_ircd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ircd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl
corenet_dontaudit_send_ircd_client_packets($1)
corenet_dontaudit_receive_ircd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ircd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ircd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_client_packets'($*)) dnl
')
########################################
##
## Send ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ircd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
dontaudit $1 ircd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_server_packets'($*)) dnl
')
########################################
##
## Receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
dontaudit $1 ircd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl
')
########################################
##
## Send and receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_server_packets'($*)) dnl
corenet_send_ircd_server_packets($1)
corenet_receive_ircd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ircd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl
corenet_dontaudit_send_ircd_server_packets($1)
corenet_dontaudit_receive_ircd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ircd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ircd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isakmp_port'($*)) dnl
corenet_udp_send_isakmp_port($1)
corenet_udp_receive_isakmp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl
corenet_dontaudit_udp_send_isakmp_port($1)
corenet_dontaudit_udp_receive_isakmp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isakmp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isakmp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the isakmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_isakmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isakmp_port'($*)) dnl
')
########################################
##
## Send isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isakmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
dontaudit $1 isakmp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl
')
########################################
##
## Receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
dontaudit $1 isakmp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl
')
########################################
##
## Send and receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_client_packets'($*)) dnl
corenet_send_isakmp_client_packets($1)
corenet_receive_isakmp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isakmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl
corenet_dontaudit_send_isakmp_client_packets($1)
corenet_dontaudit_receive_isakmp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to isakmp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isakmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_client_packets'($*)) dnl
')
########################################
##
## Send isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isakmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
dontaudit $1 isakmp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl
')
########################################
##
## Receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
dontaudit $1 isakmp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_server_packets'($*)) dnl
corenet_send_isakmp_server_packets($1)
corenet_receive_isakmp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isakmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl
corenet_dontaudit_send_isakmp_server_packets($1)
corenet_dontaudit_receive_isakmp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to isakmp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isakmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_iscsi_port'($*)) dnl
corenet_udp_send_iscsi_port($1)
corenet_udp_receive_iscsi_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl
corenet_dontaudit_udp_send_iscsi_port($1)
corenet_dontaudit_udp_receive_iscsi_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_iscsi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_iscsi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the iscsi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_iscsi_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_iscsi_port'($*)) dnl
')
########################################
##
## Send iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send iscsi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
dontaudit $1 iscsi_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl
')
########################################
##
## Receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
dontaudit $1 iscsi_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl
')
########################################
##
## Send and receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_client_packets'($*)) dnl
corenet_send_iscsi_client_packets($1)
corenet_receive_iscsi_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive iscsi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl
corenet_dontaudit_send_iscsi_client_packets($1)
corenet_dontaudit_receive_iscsi_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to iscsi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_iscsi_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_client_packets'($*)) dnl
')
########################################
##
## Send iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send iscsi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
dontaudit $1 iscsi_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl
')
########################################
##
## Receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
dontaudit $1 iscsi_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl
')
########################################
##
## Send and receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_server_packets'($*)) dnl
corenet_send_iscsi_server_packets($1)
corenet_receive_iscsi_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive iscsi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl
corenet_dontaudit_send_iscsi_server_packets($1)
corenet_dontaudit_receive_iscsi_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to iscsi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_iscsi_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isns_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isns_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isns_port'($*)) dnl
corenet_udp_send_isns_port($1)
corenet_udp_receive_isns_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl
corenet_dontaudit_udp_send_isns_port($1)
corenet_dontaudit_udp_receive_isns_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isns_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isns_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the isns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_isns_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isns_port'($*)) dnl
')
########################################
##
## Send isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
dontaudit $1 isns_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_client_packets'($*)) dnl
')
########################################
##
## Receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
dontaudit $1 isns_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_client_packets'($*)) dnl
')
########################################
##
## Send and receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_client_packets'($*)) dnl
corenet_send_isns_client_packets($1)
corenet_receive_isns_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl
corenet_dontaudit_send_isns_client_packets($1)
corenet_dontaudit_receive_isns_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to isns_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isns_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_client_packets'($*)) dnl
')
########################################
##
## Send isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
dontaudit $1 isns_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_server_packets'($*)) dnl
')
########################################
##
## Receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
dontaudit $1 isns_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_server_packets'($*)) dnl
')
########################################
##
## Send and receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_server_packets'($*)) dnl
corenet_send_isns_server_packets($1)
corenet_receive_isns_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl
corenet_dontaudit_send_isns_server_packets($1)
corenet_dontaudit_receive_isns_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to isns_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isns_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_client_port'($*)) dnl
corenet_udp_send_jabber_client_port($1)
corenet_udp_receive_jabber_client_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl
corenet_dontaudit_udp_send_jabber_client_port($1)
corenet_dontaudit_udp_receive_jabber_client_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_client_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_client_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jabber_client_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_client_port'($*)) dnl
')
########################################
##
## Send jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
dontaudit $1 jabber_client_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
dontaudit $1 jabber_client_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_client_packets'($*)) dnl
corenet_send_jabber_client_client_packets($1)
corenet_receive_jabber_client_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl
corenet_dontaudit_send_jabber_client_client_packets($1)
corenet_dontaudit_receive_jabber_client_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_client_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_client_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Send jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
dontaudit $1 jabber_client_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
dontaudit $1 jabber_client_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_server_packets'($*)) dnl
corenet_send_jabber_client_server_packets($1)
corenet_receive_jabber_client_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl
corenet_dontaudit_send_jabber_client_server_packets($1)
corenet_dontaudit_receive_jabber_client_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_client_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_client_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl
corenet_udp_send_jabber_interserver_port($1)
corenet_udp_receive_jabber_interserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl
corenet_dontaudit_udp_send_jabber_interserver_port($1)
corenet_dontaudit_udp_receive_jabber_interserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_interserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_interserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jabber_interserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_interserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
dontaudit $1 jabber_interserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
dontaudit $1 jabber_interserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl
corenet_send_jabber_interserver_client_packets($1)
corenet_receive_jabber_interserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_interserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl
corenet_dontaudit_send_jabber_interserver_client_packets($1)
corenet_dontaudit_receive_jabber_interserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_interserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_interserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Send jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_interserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
dontaudit $1 jabber_interserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
dontaudit $1 jabber_interserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl
corenet_send_jabber_interserver_server_packets($1)
corenet_receive_jabber_interserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_interserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl
corenet_dontaudit_send_jabber_interserver_server_packets($1)
corenet_dontaudit_receive_jabber_interserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_interserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_interserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl
corenet_udp_send_kerberos_admin_port($1)
corenet_udp_receive_kerberos_admin_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_admin_port($1)
corenet_dontaudit_udp_receive_kerberos_admin_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_admin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_admin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_admin_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_admin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
dontaudit $1 kerberos_admin_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
dontaudit $1 kerberos_admin_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl
corenet_send_kerberos_admin_client_packets($1)
corenet_receive_kerberos_admin_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_admin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_admin_client_packets($1)
corenet_dontaudit_receive_kerberos_admin_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_admin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_admin_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_admin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
dontaudit $1 kerberos_admin_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
dontaudit $1 kerberos_admin_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl
corenet_send_kerberos_admin_server_packets($1)
corenet_receive_kerberos_admin_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_admin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_admin_server_packets($1)
corenet_dontaudit_receive_kerberos_admin_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_admin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_admin_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_master_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_master_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos_master port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
dontaudit $1 kerberos_master_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_master_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_master_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos_master port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
dontaudit $1 kerberos_master_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_master_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_master_port'($*)) dnl
corenet_udp_send_kerberos_master_port($1)
corenet_udp_receive_kerberos_master_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_master_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos_master port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_master_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_master_port($1)
corenet_dontaudit_udp_receive_kerberos_master_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_master_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_master_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_master_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos_master port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_master_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_master_port'($*)) dnl
gen_require(`
type kerberos_master_port_t;
')
allow $1 kerberos_master_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_master_port'($*)) dnl
')
########################################
##
## Send kerberos_master_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_master_client_packets'($*)) dnl
gen_require(`
type kerberos_master_client_packet_t;
')
allow $1 kerberos_master_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_master_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_master_client_packets'($*)) dnl
gen_require(`
type kerberos_master_client_packet_t;
')
dontaudit $1 kerberos_master_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_master_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_master_client_packets'($*)) dnl
gen_require(`
type kerberos_master_client_packet_t;
')
allow $1 kerberos_master_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_master_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_master_client_packets'($*)) dnl
gen_require(`
type kerberos_master_client_packet_t;
')
dontaudit $1 kerberos_master_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_master_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_master_client_packets'($*)) dnl
corenet_send_kerberos_master_client_packets($1)
corenet_receive_kerberos_master_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_master_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_master_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_master_client_packets($1)
corenet_dontaudit_receive_kerberos_master_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_master_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_master_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_master_client_packets'($*)) dnl
gen_require(`
type kerberos_master_client_packet_t;
')
allow $1 kerberos_master_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_master_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_master_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_master_server_packets'($*)) dnl
gen_require(`
type kerberos_master_server_packet_t;
')
allow $1 kerberos_master_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_master_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_master_server_packets'($*)) dnl
gen_require(`
type kerberos_master_server_packet_t;
')
dontaudit $1 kerberos_master_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_master_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_master_server_packets'($*)) dnl
gen_require(`
type kerberos_master_server_packet_t;
')
allow $1 kerberos_master_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_master_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_master_server_packets'($*)) dnl
gen_require(`
type kerberos_master_server_packet_t;
')
dontaudit $1 kerberos_master_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_master_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_master_server_packets'($*)) dnl
corenet_send_kerberos_master_server_packets($1)
corenet_receive_kerberos_master_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_master_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_master_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_master_server_packets($1)
corenet_dontaudit_receive_kerberos_master_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_master_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_master_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_master_server_packets'($*)) dnl
gen_require(`
type kerberos_master_server_packet_t;
')
allow $1 kerberos_master_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_master_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_port'($*)) dnl
corenet_udp_send_kerberos_port($1)
corenet_udp_receive_kerberos_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_port($1)
corenet_dontaudit_udp_receive_kerberos_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_port'($*)) dnl
')
########################################
##
## Send kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
dontaudit $1 kerberos_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
dontaudit $1 kerberos_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_client_packets'($*)) dnl
corenet_send_kerberos_client_packets($1)
corenet_receive_kerberos_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_client_packets($1)
corenet_dontaudit_receive_kerberos_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
dontaudit $1 kerberos_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
dontaudit $1 kerberos_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_server_packets'($*)) dnl
corenet_send_kerberos_server_packets($1)
corenet_receive_kerberos_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_server_packets($1)
corenet_dontaudit_receive_kerberos_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kprop_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kprop_port'($*)) dnl
corenet_udp_send_kprop_port($1)
corenet_udp_receive_kprop_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl
corenet_dontaudit_udp_send_kprop_port($1)
corenet_dontaudit_udp_receive_kprop_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kprop_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kprop_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kprop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kprop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kprop_port'($*)) dnl
')
########################################
##
## Send kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kprop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
dontaudit $1 kprop_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_client_packets'($*)) dnl
')
########################################
##
## Receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
dontaudit $1 kprop_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl
')
########################################
##
## Send and receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_client_packets'($*)) dnl
corenet_send_kprop_client_packets($1)
corenet_receive_kprop_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kprop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl
corenet_dontaudit_send_kprop_client_packets($1)
corenet_dontaudit_receive_kprop_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kprop_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kprop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_client_packets'($*)) dnl
')
########################################
##
## Send kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kprop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
dontaudit $1 kprop_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_server_packets'($*)) dnl
')
########################################
##
## Receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
dontaudit $1 kprop_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl
')
########################################
##
## Send and receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_server_packets'($*)) dnl
corenet_send_kprop_server_packets($1)
corenet_receive_kprop_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kprop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl
corenet_dontaudit_send_kprop_server_packets($1)
corenet_dontaudit_receive_kprop_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kprop_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kprop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ktalkd_port'($*)) dnl
corenet_udp_send_ktalkd_port($1)
corenet_udp_receive_ktalkd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl
corenet_dontaudit_udp_send_ktalkd_port($1)
corenet_dontaudit_udp_receive_ktalkd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ktalkd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ktalkd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ktalkd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ktalkd_port'($*)) dnl
')
########################################
##
## Send ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ktalkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
dontaudit $1 ktalkd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
dontaudit $1 ktalkd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Send and receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_client_packets'($*)) dnl
corenet_send_ktalkd_client_packets($1)
corenet_receive_ktalkd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ktalkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl
corenet_dontaudit_send_ktalkd_client_packets($1)
corenet_dontaudit_receive_ktalkd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ktalkd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ktalkd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Send ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ktalkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
dontaudit $1 ktalkd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
dontaudit $1 ktalkd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_server_packets'($*)) dnl
corenet_send_ktalkd_server_packets($1)
corenet_receive_ktalkd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ktalkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl
corenet_dontaudit_send_ktalkd_server_packets($1)
corenet_dontaudit_receive_ktalkd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ktalkd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ktalkd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ldap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ldap_port'($*)) dnl
corenet_udp_send_ldap_port($1)
corenet_udp_receive_ldap_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl
corenet_dontaudit_udp_send_ldap_port($1)
corenet_dontaudit_udp_receive_ldap_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ldap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ldap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ldap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ldap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ldap_port'($*)) dnl
')
########################################
##
## Send ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ldap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
dontaudit $1 ldap_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_client_packets'($*)) dnl
')
########################################
##
## Receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
dontaudit $1 ldap_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl
')
########################################
##
## Send and receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_client_packets'($*)) dnl
corenet_send_ldap_client_packets($1)
corenet_receive_ldap_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ldap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl
corenet_dontaudit_send_ldap_client_packets($1)
corenet_dontaudit_receive_ldap_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ldap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ldap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_client_packets'($*)) dnl
')
########################################
##
## Send ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ldap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
dontaudit $1 ldap_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_server_packets'($*)) dnl
')
########################################
##
## Receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
dontaudit $1 ldap_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl
')
########################################
##
## Send and receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_server_packets'($*)) dnl
corenet_send_ldap_server_packets($1)
corenet_receive_ldap_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ldap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl
corenet_dontaudit_send_ldap_server_packets($1)
corenet_dontaudit_receive_ldap_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ldap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ldap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lmtp_port'($*)) dnl
corenet_udp_send_lmtp_port($1)
corenet_udp_receive_lmtp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl
corenet_dontaudit_udp_send_lmtp_port($1)
corenet_dontaudit_udp_receive_lmtp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lmtp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lmtp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lmtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lmtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lmtp_port'($*)) dnl
')
########################################
##
## Send lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lmtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
dontaudit $1 lmtp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl
')
########################################
##
## Receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
dontaudit $1 lmtp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl
')
########################################
##
## Send and receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_client_packets'($*)) dnl
corenet_send_lmtp_client_packets($1)
corenet_receive_lmtp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lmtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl
corenet_dontaudit_send_lmtp_client_packets($1)
corenet_dontaudit_receive_lmtp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lmtp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lmtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_client_packets'($*)) dnl
')
########################################
##
## Send lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lmtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
dontaudit $1 lmtp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl
')
########################################
##
## Receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
dontaudit $1 lmtp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_server_packets'($*)) dnl
corenet_send_lmtp_server_packets($1)
corenet_receive_lmtp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lmtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl
corenet_dontaudit_send_lmtp_server_packets($1)
corenet_dontaudit_receive_lmtp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lmtp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lmtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mail_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mail_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mail_port'($*)) dnl
corenet_udp_send_mail_port($1)
corenet_udp_receive_mail_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl
corenet_dontaudit_udp_send_mail_port($1)
corenet_dontaudit_udp_receive_mail_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mail_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mail_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mail port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mail_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mail_port'($*)) dnl
')
########################################
##
## Send mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mail_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
dontaudit $1 mail_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_client_packets'($*)) dnl
')
########################################
##
## Receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
dontaudit $1 mail_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_client_packets'($*)) dnl
')
########################################
##
## Send and receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_client_packets'($*)) dnl
corenet_send_mail_client_packets($1)
corenet_receive_mail_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mail_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl
corenet_dontaudit_send_mail_client_packets($1)
corenet_dontaudit_receive_mail_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mail_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mail_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_client_packets'($*)) dnl
')
########################################
##
## Send mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mail_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
dontaudit $1 mail_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_server_packets'($*)) dnl
')
########################################
##
## Receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
dontaudit $1 mail_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_server_packets'($*)) dnl
')
########################################
##
## Send and receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_server_packets'($*)) dnl
corenet_send_mail_server_packets($1)
corenet_receive_mail_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mail_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl
corenet_dontaudit_send_mail_server_packets($1)
corenet_dontaudit_receive_mail_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mail_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mail_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_monopd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_monopd_port'($*)) dnl
corenet_udp_send_monopd_port($1)
corenet_udp_receive_monopd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl
corenet_dontaudit_udp_send_monopd_port($1)
corenet_dontaudit_udp_receive_monopd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_monopd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_monopd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the monopd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_monopd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_monopd_port'($*)) dnl
')
########################################
##
## Send monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send monopd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
dontaudit $1 monopd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_client_packets'($*)) dnl
')
########################################
##
## Receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
dontaudit $1 monopd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl
')
########################################
##
## Send and receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_client_packets'($*)) dnl
corenet_send_monopd_client_packets($1)
corenet_receive_monopd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive monopd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl
corenet_dontaudit_send_monopd_client_packets($1)
corenet_dontaudit_receive_monopd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to monopd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_monopd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_client_packets'($*)) dnl
')
########################################
##
## Send monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send monopd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
dontaudit $1 monopd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_server_packets'($*)) dnl
')
########################################
##
## Receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
dontaudit $1 monopd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl
')
########################################
##
## Send and receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_server_packets'($*)) dnl
corenet_send_monopd_server_packets($1)
corenet_receive_monopd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive monopd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl
corenet_dontaudit_send_monopd_server_packets($1)
corenet_dontaudit_receive_monopd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to monopd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_monopd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqld_port'($*)) dnl
corenet_udp_send_mysqld_port($1)
corenet_udp_receive_mysqld_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl
corenet_dontaudit_udp_send_mysqld_port($1)
corenet_dontaudit_udp_receive_mysqld_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqld_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqld_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mysqld port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mysqld_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqld_port'($*)) dnl
')
########################################
##
## Send mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqld_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
dontaudit $1 mysqld_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl
')
########################################
##
## Receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
dontaudit $1 mysqld_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl
')
########################################
##
## Send and receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_client_packets'($*)) dnl
corenet_send_mysqld_client_packets($1)
corenet_receive_mysqld_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqld_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl
corenet_dontaudit_send_mysqld_client_packets($1)
corenet_dontaudit_receive_mysqld_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqld_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqld_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_client_packets'($*)) dnl
')
########################################
##
## Send mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqld_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
dontaudit $1 mysqld_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl
')
########################################
##
## Receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
dontaudit $1 mysqld_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl
')
########################################
##
## Send and receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_server_packets'($*)) dnl
corenet_send_mysqld_server_packets($1)
corenet_receive_mysqld_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqld_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl
corenet_dontaudit_send_mysqld_server_packets($1)
corenet_dontaudit_receive_mysqld_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqld_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqld_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nessus_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nessus_port'($*)) dnl
corenet_udp_send_nessus_port($1)
corenet_udp_receive_nessus_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl
corenet_dontaudit_udp_send_nessus_port($1)
corenet_dontaudit_udp_receive_nessus_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nessus_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nessus_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nessus port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nessus_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nessus_port'($*)) dnl
')
########################################
##
## Send nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nessus_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
dontaudit $1 nessus_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_client_packets'($*)) dnl
')
########################################
##
## Receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
dontaudit $1 nessus_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl
')
########################################
##
## Send and receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_client_packets'($*)) dnl
corenet_send_nessus_client_packets($1)
corenet_receive_nessus_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nessus_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl
corenet_dontaudit_send_nessus_client_packets($1)
corenet_dontaudit_receive_nessus_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nessus_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nessus_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_client_packets'($*)) dnl
')
########################################
##
## Send nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nessus_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
dontaudit $1 nessus_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_server_packets'($*)) dnl
')
########################################
##
## Receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
dontaudit $1 nessus_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl
')
########################################
##
## Send and receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_server_packets'($*)) dnl
corenet_send_nessus_server_packets($1)
corenet_receive_nessus_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nessus_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl
corenet_dontaudit_send_nessus_server_packets($1)
corenet_dontaudit_receive_nessus_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nessus_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nessus_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netsupport_port'($*)) dnl
corenet_udp_send_netsupport_port($1)
corenet_udp_receive_netsupport_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl
corenet_dontaudit_udp_send_netsupport_port($1)
corenet_dontaudit_udp_receive_netsupport_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netsupport_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netsupport_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the netsupport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_netsupport_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netsupport_port'($*)) dnl
')
########################################
##
## Send netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netsupport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
dontaudit $1 netsupport_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl
')
########################################
##
## Receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
dontaudit $1 netsupport_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl
')
########################################
##
## Send and receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_client_packets'($*)) dnl
corenet_send_netsupport_client_packets($1)
corenet_receive_netsupport_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netsupport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl
corenet_dontaudit_send_netsupport_client_packets($1)
corenet_dontaudit_receive_netsupport_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to netsupport_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netsupport_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_client_packets'($*)) dnl
')
########################################
##
## Send netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netsupport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
dontaudit $1 netsupport_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl
')
########################################
##
## Receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
dontaudit $1 netsupport_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl
')
########################################
##
## Send and receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_server_packets'($*)) dnl
corenet_send_netsupport_server_packets($1)
corenet_receive_netsupport_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netsupport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl
corenet_dontaudit_send_netsupport_server_packets($1)
corenet_dontaudit_receive_netsupport_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to netsupport_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netsupport_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmbd_port'($*)) dnl
corenet_udp_send_nmbd_port($1)
corenet_udp_receive_nmbd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl
corenet_dontaudit_udp_send_nmbd_port($1)
corenet_dontaudit_udp_receive_nmbd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmbd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmbd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nmbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nmbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmbd_port'($*)) dnl
')
########################################
##
## Send nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
dontaudit $1 nmbd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl
')
########################################
##
## Receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
dontaudit $1 nmbd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl
')
########################################
##
## Send and receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_client_packets'($*)) dnl
corenet_send_nmbd_client_packets($1)
corenet_receive_nmbd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl
corenet_dontaudit_send_nmbd_client_packets($1)
corenet_dontaudit_receive_nmbd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmbd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_client_packets'($*)) dnl
')
########################################
##
## Send nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
dontaudit $1 nmbd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl
')
########################################
##
## Receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
dontaudit $1 nmbd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_server_packets'($*)) dnl
corenet_send_nmbd_server_packets($1)
corenet_receive_nmbd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl
corenet_dontaudit_send_nmbd_server_packets($1)
corenet_dontaudit_receive_nmbd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmbd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntp_port'($*)) dnl
corenet_udp_send_ntp_port($1)
corenet_udp_receive_ntp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl
corenet_dontaudit_udp_send_ntp_port($1)
corenet_dontaudit_udp_receive_ntp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ntp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ntp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntp_port'($*)) dnl
')
########################################
##
## Send ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
dontaudit $1 ntp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_client_packets'($*)) dnl
')
########################################
##
## Receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
dontaudit $1 ntp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_client_packets'($*)) dnl
corenet_send_ntp_client_packets($1)
corenet_receive_ntp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl
corenet_dontaudit_send_ntp_client_packets($1)
corenet_dontaudit_receive_ntp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_client_packets'($*)) dnl
')
########################################
##
## Send ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
dontaudit $1 ntp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_server_packets'($*)) dnl
')
########################################
##
## Receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
dontaudit $1 ntp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_server_packets'($*)) dnl
corenet_send_ntp_server_packets($1)
corenet_receive_ntp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl
corenet_dontaudit_send_ntp_server_packets($1)
corenet_dontaudit_receive_ntp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ocsp_port'($*)) dnl
corenet_udp_send_ocsp_port($1)
corenet_udp_receive_ocsp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl
corenet_dontaudit_udp_send_ocsp_port($1)
corenet_dontaudit_udp_receive_ocsp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ocsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ocsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ocsp_port'($*)) dnl
')
########################################
##
## Send ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
dontaudit $1 ocsp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl
')
########################################
##
## Receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
dontaudit $1 ocsp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_client_packets'($*)) dnl
corenet_send_ocsp_client_packets($1)
corenet_receive_ocsp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl
corenet_dontaudit_send_ocsp_client_packets($1)
corenet_dontaudit_receive_ocsp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ocsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
dontaudit $1 ocsp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl
')
########################################
##
## Receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
dontaudit $1 ocsp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_server_packets'($*)) dnl
corenet_send_ocsp_server_packets($1)
corenet_receive_ocsp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl
corenet_dontaudit_send_ocsp_server_packets($1)
corenet_dontaudit_receive_ocsp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ocsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvpn_port'($*)) dnl
corenet_udp_send_openvpn_port($1)
corenet_udp_receive_openvpn_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl
corenet_dontaudit_udp_send_openvpn_port($1)
corenet_dontaudit_udp_receive_openvpn_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvpn_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvpn_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openvpn port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openvpn_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvpn_port'($*)) dnl
')
########################################
##
## Send openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvpn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
dontaudit $1 openvpn_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl
')
########################################
##
## Receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
dontaudit $1 openvpn_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl
')
########################################
##
## Send and receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_client_packets'($*)) dnl
corenet_send_openvpn_client_packets($1)
corenet_receive_openvpn_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvpn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl
corenet_dontaudit_send_openvpn_client_packets($1)
corenet_dontaudit_receive_openvpn_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvpn_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvpn_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_client_packets'($*)) dnl
')
########################################
##
## Send openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvpn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
dontaudit $1 openvpn_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl
')
########################################
##
## Receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
dontaudit $1 openvpn_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl
')
########################################
##
## Send and receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_server_packets'($*)) dnl
corenet_send_openvpn_server_packets($1)
corenet_receive_openvpn_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvpn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl
corenet_dontaudit_send_openvpn_server_packets($1)
corenet_dontaudit_receive_openvpn_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvpn_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvpn_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl
corenet_udp_send_pegasus_http_port($1)
corenet_udp_receive_pegasus_http_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl
corenet_dontaudit_udp_send_pegasus_http_port($1)
corenet_dontaudit_udp_receive_pegasus_http_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_http_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_http_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pegasus_http_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_http_port'($*)) dnl
')
########################################
##
## Send pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
dontaudit $1 pegasus_http_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
dontaudit $1 pegasus_http_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl
corenet_send_pegasus_http_client_packets($1)
corenet_receive_pegasus_http_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl
corenet_dontaudit_send_pegasus_http_client_packets($1)
corenet_dontaudit_receive_pegasus_http_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_http_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_http_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Send pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
dontaudit $1 pegasus_http_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
dontaudit $1 pegasus_http_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl
corenet_send_pegasus_http_server_packets($1)
corenet_receive_pegasus_http_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl
corenet_dontaudit_send_pegasus_http_server_packets($1)
corenet_dontaudit_receive_pegasus_http_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_http_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_http_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl
corenet_udp_send_pegasus_https_port($1)
corenet_udp_receive_pegasus_https_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl
corenet_dontaudit_udp_send_pegasus_https_port($1)
corenet_dontaudit_udp_receive_pegasus_https_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_https_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_https_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pegasus_https_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_https_port'($*)) dnl
')
########################################
##
## Send pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_https_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
dontaudit $1 pegasus_https_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
dontaudit $1 pegasus_https_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl
corenet_send_pegasus_https_client_packets($1)
corenet_receive_pegasus_https_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_https_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl
corenet_dontaudit_send_pegasus_https_client_packets($1)
corenet_dontaudit_receive_pegasus_https_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_https_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_https_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Send pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_https_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
dontaudit $1 pegasus_https_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
dontaudit $1 pegasus_https_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl
corenet_send_pegasus_https_server_packets($1)
corenet_receive_pegasus_https_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_https_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl
corenet_dontaudit_send_pegasus_https_server_packets($1)
corenet_dontaudit_receive_pegasus_https_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_https_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_https_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ca_port'($*)) dnl
corenet_udp_send_pki_ca_port($1)
corenet_udp_receive_pki_ca_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ca_port($1)
corenet_dontaudit_udp_receive_pki_ca_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ca_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ca_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ca_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ca_port'($*)) dnl
')
########################################
##
## Send pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
dontaudit $1 pki_ca_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
dontaudit $1 pki_ca_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_client_packets'($*)) dnl
corenet_send_pki_ca_client_packets($1)
corenet_receive_pki_ca_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ca_client_packets($1)
corenet_dontaudit_receive_pki_ca_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ca_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ca_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Send pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
dontaudit $1 pki_ca_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
dontaudit $1 pki_ca_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_server_packets'($*)) dnl
corenet_send_pki_ca_server_packets($1)
corenet_receive_pki_ca_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ca_server_packets($1)
corenet_dontaudit_receive_pki_ca_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ca_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ca_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_kra_port'($*)) dnl
corenet_udp_send_pki_kra_port($1)
corenet_udp_receive_pki_kra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl
corenet_dontaudit_udp_send_pki_kra_port($1)
corenet_dontaudit_udp_receive_pki_kra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_kra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_kra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_kra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_kra_port'($*)) dnl
')
########################################
##
## Send pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_kra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
dontaudit $1 pki_kra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
dontaudit $1 pki_kra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_client_packets'($*)) dnl
corenet_send_pki_kra_client_packets($1)
corenet_receive_pki_kra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_kra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl
corenet_dontaudit_send_pki_kra_client_packets($1)
corenet_dontaudit_receive_pki_kra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_kra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_kra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Send pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_kra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
dontaudit $1 pki_kra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
dontaudit $1 pki_kra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_server_packets'($*)) dnl
corenet_send_pki_kra_server_packets($1)
corenet_receive_pki_kra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_kra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl
corenet_dontaudit_send_pki_kra_server_packets($1)
corenet_dontaudit_receive_pki_kra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_kra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_kra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl
corenet_udp_send_pki_ocsp_port($1)
corenet_udp_receive_pki_ocsp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ocsp_port($1)
corenet_dontaudit_udp_receive_pki_ocsp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ocsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ocsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ocsp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
dontaudit $1 pki_ocsp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
dontaudit $1 pki_ocsp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl
corenet_send_pki_ocsp_client_packets($1)
corenet_receive_pki_ocsp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ocsp_client_packets($1)
corenet_dontaudit_receive_pki_ocsp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ocsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ocsp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
dontaudit $1 pki_ocsp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
dontaudit $1 pki_ocsp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl
corenet_send_pki_ocsp_server_packets($1)
corenet_receive_pki_ocsp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ocsp_server_packets($1)
corenet_dontaudit_receive_pki_ocsp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ocsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ocsp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tks_port'($*)) dnl
corenet_udp_send_pki_tks_port($1)
corenet_udp_receive_pki_tks_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl
corenet_dontaudit_udp_send_pki_tks_port($1)
corenet_dontaudit_udp_receive_pki_tks_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tks_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tks_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_tks_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tks_port'($*)) dnl
')
########################################
##
## Send pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
dontaudit $1 pki_tks_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
dontaudit $1 pki_tks_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_client_packets'($*)) dnl
corenet_send_pki_tks_client_packets($1)
corenet_receive_pki_tks_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl
corenet_dontaudit_send_pki_tks_client_packets($1)
corenet_dontaudit_receive_pki_tks_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tks_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tks_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Send pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
dontaudit $1 pki_tks_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
dontaudit $1 pki_tks_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_server_packets'($*)) dnl
corenet_send_pki_tks_server_packets($1)
corenet_receive_pki_tks_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl
corenet_dontaudit_send_pki_tks_server_packets($1)
corenet_dontaudit_receive_pki_tks_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tks_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tks_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ra_port'($*)) dnl
corenet_udp_send_pki_ra_port($1)
corenet_udp_receive_pki_ra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ra_port($1)
corenet_dontaudit_udp_receive_pki_ra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ra_port'($*)) dnl
')
########################################
##
## Send pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
dontaudit $1 pki_ra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
dontaudit $1 pki_ra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_client_packets'($*)) dnl
corenet_send_pki_ra_client_packets($1)
corenet_receive_pki_ra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ra_client_packets($1)
corenet_dontaudit_receive_pki_ra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Send pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
dontaudit $1 pki_ra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
dontaudit $1 pki_ra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_server_packets'($*)) dnl
corenet_send_pki_ra_server_packets($1)
corenet_receive_pki_ra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ra_server_packets($1)
corenet_dontaudit_receive_pki_ra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tps_port'($*)) dnl
corenet_udp_send_pki_tps_port($1)
corenet_udp_receive_pki_tps_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl
corenet_dontaudit_udp_send_pki_tps_port($1)
corenet_dontaudit_udp_receive_pki_tps_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tps_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tps_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_tps_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tps_port'($*)) dnl
')
########################################
##
## Send pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
dontaudit $1 pki_tps_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
dontaudit $1 pki_tps_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_client_packets'($*)) dnl
corenet_send_pki_tps_client_packets($1)
corenet_receive_pki_tps_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl
corenet_dontaudit_send_pki_tps_client_packets($1)
corenet_dontaudit_receive_pki_tps_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tps_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tps_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Send pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
dontaudit $1 pki_tps_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
dontaudit $1 pki_tps_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_server_packets'($*)) dnl
corenet_send_pki_tps_server_packets($1)
corenet_receive_pki_tps_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl
corenet_dontaudit_send_pki_tps_server_packets($1)
corenet_dontaudit_receive_pki_tps_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tps_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tps_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl
corenet_udp_send_pgpkeyserver_port($1)
corenet_udp_receive_pgpkeyserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl
corenet_dontaudit_udp_send_pgpkeyserver_port($1)
corenet_dontaudit_udp_receive_pgpkeyserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pgpkeyserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pgpkeyserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
dontaudit $1 pgpkeyserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
dontaudit $1 pgpkeyserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl
corenet_send_pgpkeyserver_client_packets($1)
corenet_receive_pgpkeyserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pgpkeyserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl
corenet_dontaudit_send_pgpkeyserver_client_packets($1)
corenet_dontaudit_receive_pgpkeyserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pgpkeyserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pgpkeyserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Send pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pgpkeyserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
dontaudit $1 pgpkeyserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
dontaudit $1 pgpkeyserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl
corenet_send_pgpkeyserver_server_packets($1)
corenet_receive_pgpkeyserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pgpkeyserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl
corenet_dontaudit_send_pgpkeyserver_server_packets($1)
corenet_dontaudit_receive_pgpkeyserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pgpkeyserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pgpkeyserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pop_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pop_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pop_port'($*)) dnl
corenet_udp_send_pop_port($1)
corenet_udp_receive_pop_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl
corenet_dontaudit_udp_send_pop_port($1)
corenet_dontaudit_udp_receive_pop_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pop_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pop_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pop_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pop_port'($*)) dnl
')
########################################
##
## Send pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
dontaudit $1 pop_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_client_packets'($*)) dnl
')
########################################
##
## Receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
dontaudit $1 pop_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_client_packets'($*)) dnl
')
########################################
##
## Send and receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_client_packets'($*)) dnl
corenet_send_pop_client_packets($1)
corenet_receive_pop_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl
corenet_dontaudit_send_pop_client_packets($1)
corenet_dontaudit_receive_pop_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pop_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pop_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_client_packets'($*)) dnl
')
########################################
##
## Send pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
dontaudit $1 pop_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_server_packets'($*)) dnl
')
########################################
##
## Receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
dontaudit $1 pop_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_server_packets'($*)) dnl
')
########################################
##
## Send and receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_server_packets'($*)) dnl
corenet_send_pop_server_packets($1)
corenet_receive_pop_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl
corenet_dontaudit_send_pop_server_packets($1)
corenet_dontaudit_receive_pop_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pop_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pop_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_portmap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_portmap_port'($*)) dnl
corenet_udp_send_portmap_port($1)
corenet_udp_receive_portmap_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl
corenet_dontaudit_udp_send_portmap_port($1)
corenet_dontaudit_udp_receive_portmap_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_portmap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_portmap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the portmap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_portmap_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_portmap_port'($*)) dnl
')
########################################
##
## Send portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send portmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
dontaudit $1 portmap_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_client_packets'($*)) dnl
')
########################################
##
## Receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
dontaudit $1 portmap_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl
')
########################################
##
## Send and receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_client_packets'($*)) dnl
corenet_send_portmap_client_packets($1)
corenet_receive_portmap_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive portmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl
corenet_dontaudit_send_portmap_client_packets($1)
corenet_dontaudit_receive_portmap_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to portmap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_portmap_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_client_packets'($*)) dnl
')
########################################
##
## Send portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send portmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
dontaudit $1 portmap_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_server_packets'($*)) dnl
')
########################################
##
## Receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
dontaudit $1 portmap_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_server_packets'($*)) dnl
corenet_send_portmap_server_packets($1)
corenet_receive_portmap_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive portmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl
corenet_dontaudit_send_portmap_server_packets($1)
corenet_dontaudit_receive_portmap_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to portmap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_portmap_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgresql_port'($*)) dnl
corenet_udp_send_postgresql_port($1)
corenet_udp_receive_postgresql_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl
corenet_dontaudit_udp_send_postgresql_port($1)
corenet_dontaudit_udp_receive_postgresql_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgresql_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgresql_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the postgresql port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_postgresql_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgresql_port'($*)) dnl
')
########################################
##
## Send postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgresql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
dontaudit $1 postgresql_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl
')
########################################
##
## Receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
dontaudit $1 postgresql_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl
')
########################################
##
## Send and receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_client_packets'($*)) dnl
corenet_send_postgresql_client_packets($1)
corenet_receive_postgresql_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgresql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl
corenet_dontaudit_send_postgresql_client_packets($1)
corenet_dontaudit_receive_postgresql_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgresql_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgresql_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_client_packets'($*)) dnl
')
########################################
##
## Send postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgresql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
dontaudit $1 postgresql_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl
')
########################################
##
## Receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
dontaudit $1 postgresql_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl
')
########################################
##
## Send and receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_server_packets'($*)) dnl
corenet_send_postgresql_server_packets($1)
corenet_receive_postgresql_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgresql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl
corenet_dontaudit_send_postgresql_server_packets($1)
corenet_dontaudit_receive_postgresql_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgresql_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgresql_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgrey_port'($*)) dnl
corenet_udp_send_postgrey_port($1)
corenet_udp_receive_postgrey_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl
corenet_dontaudit_udp_send_postgrey_port($1)
corenet_dontaudit_udp_receive_postgrey_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgrey_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgrey_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the postgrey port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_postgrey_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgrey_port'($*)) dnl
')
########################################
##
## Send postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgrey_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
dontaudit $1 postgrey_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl
')
########################################
##
## Receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
dontaudit $1 postgrey_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl
')
########################################
##
## Send and receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_client_packets'($*)) dnl
corenet_send_postgrey_client_packets($1)
corenet_receive_postgrey_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgrey_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl
corenet_dontaudit_send_postgrey_client_packets($1)
corenet_dontaudit_receive_postgrey_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgrey_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgrey_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_client_packets'($*)) dnl
')
########################################
##
## Send postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgrey_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
dontaudit $1 postgrey_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl
')
########################################
##
## Receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
dontaudit $1 postgrey_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl
')
########################################
##
## Send and receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_server_packets'($*)) dnl
corenet_send_postgrey_server_packets($1)
corenet_receive_postgrey_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgrey_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl
corenet_dontaudit_send_postgrey_server_packets($1)
corenet_dontaudit_receive_postgrey_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgrey_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgrey_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prelude_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prelude_port'($*)) dnl
corenet_udp_send_prelude_port($1)
corenet_udp_receive_prelude_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl
corenet_dontaudit_udp_send_prelude_port($1)
corenet_dontaudit_udp_receive_prelude_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prelude_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prelude_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the prelude port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_prelude_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prelude_port'($*)) dnl
')
########################################
##
## Send prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prelude_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
dontaudit $1 prelude_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_client_packets'($*)) dnl
')
########################################
##
## Receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
dontaudit $1 prelude_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl
')
########################################
##
## Send and receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_client_packets'($*)) dnl
corenet_send_prelude_client_packets($1)
corenet_receive_prelude_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prelude_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl
corenet_dontaudit_send_prelude_client_packets($1)
corenet_dontaudit_receive_prelude_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to prelude_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prelude_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_client_packets'($*)) dnl
')
########################################
##
## Send prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prelude_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
dontaudit $1 prelude_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_server_packets'($*)) dnl
')
########################################
##
## Receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
dontaudit $1 prelude_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl
')
########################################
##
## Send and receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_server_packets'($*)) dnl
corenet_send_prelude_server_packets($1)
corenet_receive_prelude_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prelude_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl
corenet_dontaudit_send_prelude_server_packets($1)
corenet_dontaudit_receive_prelude_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to prelude_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prelude_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_printer_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_printer_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_printer_port'($*)) dnl
corenet_udp_send_printer_port($1)
corenet_udp_receive_printer_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl
corenet_dontaudit_udp_send_printer_port($1)
corenet_dontaudit_udp_receive_printer_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_printer_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_printer_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the printer port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_printer_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_printer_port'($*)) dnl
')
########################################
##
## Send printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send printer_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
dontaudit $1 printer_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_client_packets'($*)) dnl
')
########################################
##
## Receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
dontaudit $1 printer_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_client_packets'($*)) dnl
')
########################################
##
## Send and receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_client_packets'($*)) dnl
corenet_send_printer_client_packets($1)
corenet_receive_printer_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive printer_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl
corenet_dontaudit_send_printer_client_packets($1)
corenet_dontaudit_receive_printer_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to printer_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_printer_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_client_packets'($*)) dnl
')
########################################
##
## Send printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send printer_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
dontaudit $1 printer_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_server_packets'($*)) dnl
')
########################################
##
## Receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
dontaudit $1 printer_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_server_packets'($*)) dnl
')
########################################
##
## Send and receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_server_packets'($*)) dnl
corenet_send_printer_server_packets($1)
corenet_receive_printer_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive printer_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl
corenet_dontaudit_send_printer_server_packets($1)
corenet_dontaudit_receive_printer_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to printer_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_printer_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ptal_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ptal_port'($*)) dnl
corenet_udp_send_ptal_port($1)
corenet_udp_receive_ptal_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl
corenet_dontaudit_udp_send_ptal_port($1)
corenet_dontaudit_udp_receive_ptal_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ptal_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ptal_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ptal port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ptal_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ptal_port'($*)) dnl
')
########################################
##
## Send ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ptal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
dontaudit $1 ptal_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_client_packets'($*)) dnl
')
########################################
##
## Receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
dontaudit $1 ptal_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl
')
########################################
##
## Send and receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_client_packets'($*)) dnl
corenet_send_ptal_client_packets($1)
corenet_receive_ptal_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ptal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl
corenet_dontaudit_send_ptal_client_packets($1)
corenet_dontaudit_receive_ptal_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ptal_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ptal_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_client_packets'($*)) dnl
')
########################################
##
## Send ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ptal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
dontaudit $1 ptal_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_server_packets'($*)) dnl
')
########################################
##
## Receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
dontaudit $1 ptal_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl
')
########################################
##
## Send and receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_server_packets'($*)) dnl
corenet_send_ptal_server_packets($1)
corenet_receive_ptal_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ptal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl
corenet_dontaudit_send_ptal_server_packets($1)
corenet_dontaudit_receive_ptal_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ptal_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ptal_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pxe_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pxe_port'($*)) dnl
corenet_udp_send_pxe_port($1)
corenet_udp_receive_pxe_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl
corenet_dontaudit_udp_send_pxe_port($1)
corenet_dontaudit_udp_receive_pxe_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pxe_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pxe_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pxe port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pxe_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pxe_port'($*)) dnl
')
########################################
##
## Send pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pxe_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
dontaudit $1 pxe_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_client_packets'($*)) dnl
')
########################################
##
## Receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
dontaudit $1 pxe_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl
')
########################################
##
## Send and receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_client_packets'($*)) dnl
corenet_send_pxe_client_packets($1)
corenet_receive_pxe_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pxe_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl
corenet_dontaudit_send_pxe_client_packets($1)
corenet_dontaudit_receive_pxe_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pxe_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pxe_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_client_packets'($*)) dnl
')
########################################
##
## Send pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pxe_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
dontaudit $1 pxe_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_server_packets'($*)) dnl
')
########################################
##
## Receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
dontaudit $1 pxe_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl
')
########################################
##
## Send and receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_server_packets'($*)) dnl
corenet_send_pxe_server_packets($1)
corenet_receive_pxe_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pxe_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl
corenet_dontaudit_send_pxe_server_packets($1)
corenet_dontaudit_receive_pxe_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pxe_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pxe_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pyzor_port'($*)) dnl
corenet_udp_send_pyzor_port($1)
corenet_udp_receive_pyzor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl
corenet_dontaudit_udp_send_pyzor_port($1)
corenet_dontaudit_udp_receive_pyzor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pyzor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pyzor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pyzor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pyzor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pyzor_port'($*)) dnl
')
########################################
##
## Send pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pyzor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
dontaudit $1 pyzor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl
')
########################################
##
## Receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
dontaudit $1 pyzor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl
')
########################################
##
## Send and receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_client_packets'($*)) dnl
corenet_send_pyzor_client_packets($1)
corenet_receive_pyzor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pyzor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl
corenet_dontaudit_send_pyzor_client_packets($1)
corenet_dontaudit_receive_pyzor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pyzor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pyzor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_client_packets'($*)) dnl
')
########################################
##
## Send pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pyzor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
dontaudit $1 pyzor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl
')
########################################
##
## Receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
dontaudit $1 pyzor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl
')
########################################
##
## Send and receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_server_packets'($*)) dnl
corenet_send_pyzor_server_packets($1)
corenet_receive_pyzor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pyzor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl
corenet_dontaudit_send_pyzor_server_packets($1)
corenet_dontaudit_receive_pyzor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pyzor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pyzor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radacct_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radacct_port'($*)) dnl
corenet_udp_send_radacct_port($1)
corenet_udp_receive_radacct_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl
corenet_dontaudit_udp_send_radacct_port($1)
corenet_dontaudit_udp_receive_radacct_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radacct_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radacct_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the radacct port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_radacct_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radacct_port'($*)) dnl
')
########################################
##
## Send radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radacct_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
dontaudit $1 radacct_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_client_packets'($*)) dnl
')
########################################
##
## Receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
dontaudit $1 radacct_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl
')
########################################
##
## Send and receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_client_packets'($*)) dnl
corenet_send_radacct_client_packets($1)
corenet_receive_radacct_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radacct_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl
corenet_dontaudit_send_radacct_client_packets($1)
corenet_dontaudit_receive_radacct_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to radacct_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radacct_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_client_packets'($*)) dnl
')
########################################
##
## Send radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radacct_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
dontaudit $1 radacct_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_server_packets'($*)) dnl
')
########################################
##
## Receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
dontaudit $1 radacct_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl
')
########################################
##
## Send and receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_server_packets'($*)) dnl
corenet_send_radacct_server_packets($1)
corenet_receive_radacct_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radacct_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl
corenet_dontaudit_send_radacct_server_packets($1)
corenet_dontaudit_receive_radacct_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to radacct_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radacct_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radius_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radius_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radius_port'($*)) dnl
corenet_udp_send_radius_port($1)
corenet_udp_receive_radius_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl
corenet_dontaudit_udp_send_radius_port($1)
corenet_dontaudit_udp_receive_radius_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radius_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radius_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the radius port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_radius_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radius_port'($*)) dnl
')
########################################
##
## Send radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radius_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
dontaudit $1 radius_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_client_packets'($*)) dnl
')
########################################
##
## Receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
dontaudit $1 radius_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_client_packets'($*)) dnl
')
########################################
##
## Send and receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_client_packets'($*)) dnl
corenet_send_radius_client_packets($1)
corenet_receive_radius_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radius_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl
corenet_dontaudit_send_radius_client_packets($1)
corenet_dontaudit_receive_radius_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to radius_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radius_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_client_packets'($*)) dnl
')
########################################
##
## Send radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radius_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
dontaudit $1 radius_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_server_packets'($*)) dnl
')
########################################
##
## Receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
dontaudit $1 radius_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_server_packets'($*)) dnl
')
########################################
##
## Send and receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_server_packets'($*)) dnl
corenet_send_radius_server_packets($1)
corenet_receive_radius_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radius_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl
corenet_dontaudit_send_radius_server_packets($1)
corenet_dontaudit_receive_radius_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to radius_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radius_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_razor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_razor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_razor_port'($*)) dnl
corenet_udp_send_razor_port($1)
corenet_udp_receive_razor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl
corenet_dontaudit_udp_send_razor_port($1)
corenet_dontaudit_udp_receive_razor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_razor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_razor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the razor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_razor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_razor_port'($*)) dnl
')
########################################
##
## Send razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send razor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
dontaudit $1 razor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_client_packets'($*)) dnl
')
########################################
##
## Receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
dontaudit $1 razor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_client_packets'($*)) dnl
')
########################################
##
## Send and receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_client_packets'($*)) dnl
corenet_send_razor_client_packets($1)
corenet_receive_razor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive razor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl
corenet_dontaudit_send_razor_client_packets($1)
corenet_dontaudit_receive_razor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to razor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_razor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_client_packets'($*)) dnl
')
########################################
##
## Send razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send razor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
dontaudit $1 razor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_server_packets'($*)) dnl
')
########################################
##
## Receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
dontaudit $1 razor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_server_packets'($*)) dnl
')
########################################
##
## Send and receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_server_packets'($*)) dnl
corenet_send_razor_server_packets($1)
corenet_receive_razor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive razor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl
corenet_dontaudit_send_razor_server_packets($1)
corenet_dontaudit_receive_razor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to razor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_razor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_port'($*)) dnl
corenet_udp_send_ricci_port($1)
corenet_udp_receive_ricci_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl
corenet_dontaudit_udp_send_ricci_port($1)
corenet_dontaudit_udp_receive_ricci_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ricci port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ricci_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_port'($*)) dnl
')
########################################
##
## Send ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
dontaudit $1 ricci_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_client_packets'($*)) dnl
')
########################################
##
## Receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
dontaudit $1 ricci_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_client_packets'($*)) dnl
corenet_send_ricci_client_packets($1)
corenet_receive_ricci_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl
corenet_dontaudit_send_ricci_client_packets($1)
corenet_dontaudit_receive_ricci_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_client_packets'($*)) dnl
')
########################################
##
## Send ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
dontaudit $1 ricci_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_server_packets'($*)) dnl
')
########################################
##
## Receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
dontaudit $1 ricci_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_server_packets'($*)) dnl
corenet_send_ricci_server_packets($1)
corenet_receive_ricci_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl
corenet_dontaudit_send_ricci_server_packets($1)
corenet_dontaudit_receive_ricci_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl
corenet_udp_send_ricci_modcluster_port($1)
corenet_udp_receive_ricci_modcluster_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl
corenet_dontaudit_udp_send_ricci_modcluster_port($1)
corenet_dontaudit_udp_receive_ricci_modcluster_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ricci_modcluster_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_modcluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
dontaudit $1 ricci_modcluster_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
dontaudit $1 ricci_modcluster_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl
corenet_send_ricci_modcluster_client_packets($1)
corenet_receive_ricci_modcluster_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_modcluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl
corenet_dontaudit_send_ricci_modcluster_client_packets($1)
corenet_dontaudit_receive_ricci_modcluster_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_modcluster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_modcluster_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Send ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_modcluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
dontaudit $1 ricci_modcluster_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
dontaudit $1 ricci_modcluster_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl
corenet_send_ricci_modcluster_server_packets($1)
corenet_receive_ricci_modcluster_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_modcluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl
corenet_dontaudit_send_ricci_modcluster_server_packets($1)
corenet_dontaudit_receive_ricci_modcluster_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_modcluster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_modcluster_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogind_port'($*)) dnl
corenet_udp_send_rlogind_port($1)
corenet_udp_receive_rlogind_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl
corenet_dontaudit_udp_send_rlogind_port($1)
corenet_dontaudit_udp_receive_rlogind_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogind_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogind_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rlogind port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rlogind_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogind_port'($*)) dnl
')
########################################
##
## Send rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogind_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
dontaudit $1 rlogind_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl
')
########################################
##
## Receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
dontaudit $1 rlogind_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl
')
########################################
##
## Send and receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_client_packets'($*)) dnl
corenet_send_rlogind_client_packets($1)
corenet_receive_rlogind_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogind_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl
corenet_dontaudit_send_rlogind_client_packets($1)
corenet_dontaudit_receive_rlogind_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogind_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogind_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_client_packets'($*)) dnl
')
########################################
##
## Send rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogind_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
dontaudit $1 rlogind_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl
')
########################################
##
## Receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
dontaudit $1 rlogind_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl
')
########################################
##
## Send and receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_server_packets'($*)) dnl
corenet_send_rlogind_server_packets($1)
corenet_receive_rlogind_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogind_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl
corenet_dontaudit_send_rlogind_server_packets($1)
corenet_dontaudit_receive_rlogind_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogind_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogind_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rndc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rndc_port'($*)) dnl
corenet_udp_send_rndc_port($1)
corenet_udp_receive_rndc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl
corenet_dontaudit_udp_send_rndc_port($1)
corenet_dontaudit_udp_receive_rndc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rndc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rndc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rndc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rndc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rndc_port'($*)) dnl
')
########################################
##
## Send rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rndc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
dontaudit $1 rndc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_client_packets'($*)) dnl
')
########################################
##
## Receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
dontaudit $1 rndc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl
')
########################################
##
## Send and receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_client_packets'($*)) dnl
corenet_send_rndc_client_packets($1)
corenet_receive_rndc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rndc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl
corenet_dontaudit_send_rndc_client_packets($1)
corenet_dontaudit_receive_rndc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rndc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rndc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_client_packets'($*)) dnl
')
########################################
##
## Send rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rndc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
dontaudit $1 rndc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_server_packets'($*)) dnl
')
########################################
##
## Receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
dontaudit $1 rndc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl
')
########################################
##
## Send and receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_server_packets'($*)) dnl
corenet_send_rndc_server_packets($1)
corenet_receive_rndc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rndc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl
corenet_dontaudit_send_rndc_server_packets($1)
corenet_dontaudit_receive_rndc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rndc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rndc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_router_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_router_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_router_port'($*)) dnl
corenet_udp_send_router_port($1)
corenet_udp_receive_router_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl
corenet_dontaudit_udp_send_router_port($1)
corenet_dontaudit_udp_receive_router_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_router_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_router_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the router port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_router_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_router_port'($*)) dnl
')
########################################
##
## Send router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
dontaudit $1 router_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_client_packets'($*)) dnl
')
########################################
##
## Receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
dontaudit $1 router_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_client_packets'($*)) dnl
')
########################################
##
## Send and receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_client_packets'($*)) dnl
corenet_send_router_client_packets($1)
corenet_receive_router_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl
corenet_dontaudit_send_router_client_packets($1)
corenet_dontaudit_receive_router_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to router_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_router_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_client_packets'($*)) dnl
')
########################################
##
## Send router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
dontaudit $1 router_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_server_packets'($*)) dnl
')
########################################
##
## Receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
dontaudit $1 router_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_server_packets'($*)) dnl
corenet_send_router_server_packets($1)
corenet_receive_router_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl
corenet_dontaudit_send_router_server_packets($1)
corenet_dontaudit_receive_router_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to router_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_router_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsh_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsh_port'($*)) dnl
corenet_udp_send_rsh_port($1)
corenet_udp_receive_rsh_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl
corenet_dontaudit_udp_send_rsh_port($1)
corenet_dontaudit_udp_receive_rsh_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsh_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsh_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rsh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rsh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsh_port'($*)) dnl
')
########################################
##
## Send rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
dontaudit $1 rsh_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_client_packets'($*)) dnl
')
########################################
##
## Receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
dontaudit $1 rsh_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl
')
########################################
##
## Send and receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_client_packets'($*)) dnl
corenet_send_rsh_client_packets($1)
corenet_receive_rsh_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl
corenet_dontaudit_send_rsh_client_packets($1)
corenet_dontaudit_receive_rsh_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsh_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_client_packets'($*)) dnl
')
########################################
##
## Send rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
dontaudit $1 rsh_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_server_packets'($*)) dnl
')
########################################
##
## Receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
dontaudit $1 rsh_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl
')
########################################
##
## Send and receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_server_packets'($*)) dnl
corenet_send_rsh_server_packets($1)
corenet_receive_rsh_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl
corenet_dontaudit_send_rsh_server_packets($1)
corenet_dontaudit_receive_rsh_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsh_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsync_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsync_port'($*)) dnl
corenet_udp_send_rsync_port($1)
corenet_udp_receive_rsync_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl
corenet_dontaudit_udp_send_rsync_port($1)
corenet_dontaudit_udp_receive_rsync_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsync_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsync_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rsync port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rsync_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsync_port'($*)) dnl
')
########################################
##
## Send rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsync_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
dontaudit $1 rsync_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_client_packets'($*)) dnl
')
########################################
##
## Receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
dontaudit $1 rsync_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl
')
########################################
##
## Send and receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_client_packets'($*)) dnl
corenet_send_rsync_client_packets($1)
corenet_receive_rsync_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsync_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl
corenet_dontaudit_send_rsync_client_packets($1)
corenet_dontaudit_receive_rsync_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsync_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsync_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_client_packets'($*)) dnl
')
########################################
##
## Send rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsync_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
dontaudit $1 rsync_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_server_packets'($*)) dnl
')
########################################
##
## Receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
dontaudit $1 rsync_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl
')
########################################
##
## Send and receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_server_packets'($*)) dnl
corenet_send_rsync_server_packets($1)
corenet_receive_rsync_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsync_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl
corenet_dontaudit_send_rsync_server_packets($1)
corenet_dontaudit_receive_rsync_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsync_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsync_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smbd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smbd_port'($*)) dnl
corenet_udp_send_smbd_port($1)
corenet_udp_receive_smbd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl
corenet_dontaudit_udp_send_smbd_port($1)
corenet_dontaudit_udp_receive_smbd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smbd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smbd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the smbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_smbd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smbd_port'($*)) dnl
')
########################################
##
## Send smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
dontaudit $1 smbd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_client_packets'($*)) dnl
')
########################################
##
## Receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
dontaudit $1 smbd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl
')
########################################
##
## Send and receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_client_packets'($*)) dnl
corenet_send_smbd_client_packets($1)
corenet_receive_smbd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl
corenet_dontaudit_send_smbd_client_packets($1)
corenet_dontaudit_receive_smbd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to smbd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smbd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_client_packets'($*)) dnl
')
########################################
##
## Send smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
dontaudit $1 smbd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_server_packets'($*)) dnl
')
########################################
##
## Receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
dontaudit $1 smbd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_server_packets'($*)) dnl
corenet_send_smbd_server_packets($1)
corenet_receive_smbd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl
corenet_dontaudit_send_smbd_server_packets($1)
corenet_dontaudit_receive_smbd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to smbd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smbd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smtp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smtp_port'($*)) dnl
corenet_udp_send_smtp_port($1)
corenet_udp_receive_smtp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl
corenet_dontaudit_udp_send_smtp_port($1)
corenet_dontaudit_udp_receive_smtp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smtp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smtp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the smtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_smtp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smtp_port'($*)) dnl
')
########################################
##
## Send smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
dontaudit $1 smtp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_client_packets'($*)) dnl
')
########################################
##
## Receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
dontaudit $1 smtp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl
')
########################################
##
## Send and receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_client_packets'($*)) dnl
corenet_send_smtp_client_packets($1)
corenet_receive_smtp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl
corenet_dontaudit_send_smtp_client_packets($1)
corenet_dontaudit_receive_smtp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to smtp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smtp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_client_packets'($*)) dnl
')
########################################
##
## Send smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
dontaudit $1 smtp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_server_packets'($*)) dnl
')
########################################
##
## Receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
dontaudit $1 smtp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_server_packets'($*)) dnl
corenet_send_smtp_server_packets($1)
corenet_receive_smtp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl
corenet_dontaudit_send_smtp_server_packets($1)
corenet_dontaudit_receive_smtp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to smtp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smtp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_snmp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_snmp_port'($*)) dnl
corenet_udp_send_snmp_port($1)
corenet_udp_receive_snmp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl
corenet_dontaudit_udp_send_snmp_port($1)
corenet_dontaudit_udp_receive_snmp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_snmp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_snmp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the snmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_snmp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_snmp_port'($*)) dnl
')
########################################
##
## Send snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send snmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
dontaudit $1 snmp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_client_packets'($*)) dnl
')
########################################
##
## Receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
dontaudit $1 snmp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl
')
########################################
##
## Send and receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_client_packets'($*)) dnl
corenet_send_snmp_client_packets($1)
corenet_receive_snmp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive snmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl
corenet_dontaudit_send_snmp_client_packets($1)
corenet_dontaudit_receive_snmp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to snmp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_snmp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_client_packets'($*)) dnl
')
########################################
##
## Send snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send snmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
dontaudit $1 snmp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_server_packets'($*)) dnl
')
########################################
##
## Receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
dontaudit $1 snmp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_server_packets'($*)) dnl
corenet_send_snmp_server_packets($1)
corenet_receive_snmp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive snmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl
corenet_dontaudit_send_snmp_server_packets($1)
corenet_dontaudit_receive_snmp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to snmp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_snmp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_spamd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_spamd_port'($*)) dnl
corenet_udp_send_spamd_port($1)
corenet_udp_receive_spamd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl
corenet_dontaudit_udp_send_spamd_port($1)
corenet_dontaudit_udp_receive_spamd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_spamd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_spamd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the spamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_spamd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_spamd_port'($*)) dnl
')
########################################
##
## Send spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send spamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
dontaudit $1 spamd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_client_packets'($*)) dnl
')
########################################
##
## Receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
dontaudit $1 spamd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl
')
########################################
##
## Send and receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_client_packets'($*)) dnl
corenet_send_spamd_client_packets($1)
corenet_receive_spamd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive spamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl
corenet_dontaudit_send_spamd_client_packets($1)
corenet_dontaudit_receive_spamd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to spamd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_spamd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_client_packets'($*)) dnl
')
########################################
##
## Send spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send spamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
dontaudit $1 spamd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_server_packets'($*)) dnl
')
########################################
##
## Receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
dontaudit $1 spamd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_server_packets'($*)) dnl
corenet_send_spamd_server_packets($1)
corenet_receive_spamd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive spamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl
corenet_dontaudit_send_spamd_server_packets($1)
corenet_dontaudit_receive_spamd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to spamd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_spamd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssh_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssh_port'($*)) dnl
corenet_udp_send_ssh_port($1)
corenet_udp_receive_ssh_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl
corenet_dontaudit_udp_send_ssh_port($1)
corenet_dontaudit_udp_receive_ssh_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssh_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssh_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ssh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ssh_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssh_port'($*)) dnl
')
########################################
##
## Send ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
dontaudit $1 ssh_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_client_packets'($*)) dnl
')
########################################
##
## Receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
dontaudit $1 ssh_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl
')
########################################
##
## Send and receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_client_packets'($*)) dnl
corenet_send_ssh_client_packets($1)
corenet_receive_ssh_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl
corenet_dontaudit_send_ssh_client_packets($1)
corenet_dontaudit_receive_ssh_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssh_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssh_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_client_packets'($*)) dnl
')
########################################
##
## Send ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
dontaudit $1 ssh_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_server_packets'($*)) dnl
')
########################################
##
## Receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
dontaudit $1 ssh_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl
')
########################################
##
## Send and receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_server_packets'($*)) dnl
corenet_send_ssh_server_packets($1)
corenet_receive_ssh_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl
corenet_dontaudit_send_ssh_server_packets($1)
corenet_dontaudit_receive_ssh_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssh_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssh_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_squid_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_squid_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_squid_port'($*)) dnl
corenet_udp_send_squid_port($1)
corenet_udp_receive_squid_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl
corenet_dontaudit_udp_send_squid_port($1)
corenet_dontaudit_udp_receive_squid_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_squid_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_squid_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the squid port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_squid_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_squid_port'($*)) dnl
')
########################################
##
## Send squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send squid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
dontaudit $1 squid_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_client_packets'($*)) dnl
')
########################################
##
## Receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
dontaudit $1 squid_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_client_packets'($*)) dnl
')
########################################
##
## Send and receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_client_packets'($*)) dnl
corenet_send_squid_client_packets($1)
corenet_receive_squid_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive squid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl
corenet_dontaudit_send_squid_client_packets($1)
corenet_dontaudit_receive_squid_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to squid_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_squid_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_client_packets'($*)) dnl
')
########################################
##
## Send squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send squid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
dontaudit $1 squid_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_server_packets'($*)) dnl
')
########################################
##
## Receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
dontaudit $1 squid_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_server_packets'($*)) dnl
')
########################################
##
## Send and receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_server_packets'($*)) dnl
corenet_send_squid_server_packets($1)
corenet_receive_squid_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive squid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl
corenet_dontaudit_send_squid_server_packets($1)
corenet_dontaudit_receive_squid_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to squid_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_squid_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_server_packets'($*)) dnl
')
# snmp and htcp
########################################
##
## Send and receive TCP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_soundd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_soundd_port'($*)) dnl
corenet_udp_send_soundd_port($1)
corenet_udp_receive_soundd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl
corenet_dontaudit_udp_send_soundd_port($1)
corenet_dontaudit_udp_receive_soundd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_soundd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_soundd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the soundd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_soundd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_soundd_port'($*)) dnl
')
########################################
##
## Send soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send soundd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
dontaudit $1 soundd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_client_packets'($*)) dnl
')
########################################
##
## Receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
dontaudit $1 soundd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl
')
########################################
##
## Send and receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_client_packets'($*)) dnl
corenet_send_soundd_client_packets($1)
corenet_receive_soundd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive soundd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl
corenet_dontaudit_send_soundd_client_packets($1)
corenet_dontaudit_receive_soundd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to soundd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_soundd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_client_packets'($*)) dnl
')
########################################
##
## Send soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send soundd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
dontaudit $1 soundd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_server_packets'($*)) dnl
')
########################################
##
## Receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
dontaudit $1 soundd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl
')
########################################
##
## Send and receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_server_packets'($*)) dnl
corenet_send_soundd_server_packets($1)
corenet_receive_soundd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive soundd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl
corenet_dontaudit_send_soundd_server_packets($1)
corenet_dontaudit_receive_soundd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to soundd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_soundd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swat_port'($*)) dnl
corenet_udp_send_swat_port($1)
corenet_udp_receive_swat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl
corenet_dontaudit_udp_send_swat_port($1)
corenet_dontaudit_udp_receive_swat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the swat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_swat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swat_port'($*)) dnl
')
########################################
##
## Send swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
dontaudit $1 swat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_client_packets'($*)) dnl
')
########################################
##
## Receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
dontaudit $1 swat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_client_packets'($*)) dnl
')
########################################
##
## Send and receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_client_packets'($*)) dnl
corenet_send_swat_client_packets($1)
corenet_receive_swat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl
corenet_dontaudit_send_swat_client_packets($1)
corenet_dontaudit_receive_swat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to swat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_client_packets'($*)) dnl
')
########################################
##
## Send swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
dontaudit $1 swat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_server_packets'($*)) dnl
')
########################################
##
## Receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
dontaudit $1 swat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_server_packets'($*)) dnl
')
########################################
##
## Send and receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_server_packets'($*)) dnl
corenet_send_swat_server_packets($1)
corenet_receive_swat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl
corenet_dontaudit_send_swat_server_packets($1)
corenet_dontaudit_receive_swat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to swat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslogd_port'($*)) dnl
corenet_udp_send_syslogd_port($1)
corenet_udp_receive_syslogd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl
corenet_dontaudit_udp_send_syslogd_port($1)
corenet_dontaudit_udp_receive_syslogd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslogd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslogd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the syslogd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_syslogd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslogd_port'($*)) dnl
')
########################################
##
## Send syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslogd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
dontaudit $1 syslogd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl
')
########################################
##
## Receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
dontaudit $1 syslogd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl
')
########################################
##
## Send and receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_client_packets'($*)) dnl
corenet_send_syslogd_client_packets($1)
corenet_receive_syslogd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslogd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl
corenet_dontaudit_send_syslogd_client_packets($1)
corenet_dontaudit_receive_syslogd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslogd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslogd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_client_packets'($*)) dnl
')
########################################
##
## Send syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslogd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
dontaudit $1 syslogd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl
')
########################################
##
## Receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
dontaudit $1 syslogd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl
')
########################################
##
## Send and receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_server_packets'($*)) dnl
corenet_send_syslogd_server_packets($1)
corenet_receive_syslogd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslogd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl
corenet_dontaudit_send_syslogd_server_packets($1)
corenet_dontaudit_receive_syslogd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslogd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslogd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_telnetd_port'($*)) dnl
corenet_udp_send_telnetd_port($1)
corenet_udp_receive_telnetd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl
corenet_dontaudit_udp_send_telnetd_port($1)
corenet_dontaudit_udp_receive_telnetd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_telnetd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_telnetd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the telnetd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_telnetd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_telnetd_port'($*)) dnl
')
########################################
##
## Send telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send telnetd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
dontaudit $1 telnetd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl
')
########################################
##
## Receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
dontaudit $1 telnetd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl
')
########################################
##
## Send and receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_client_packets'($*)) dnl
corenet_send_telnetd_client_packets($1)
corenet_receive_telnetd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive telnetd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl
corenet_dontaudit_send_telnetd_client_packets($1)
corenet_dontaudit_receive_telnetd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to telnetd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_telnetd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_client_packets'($*)) dnl
')
########################################
##
## Send telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send telnetd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
dontaudit $1 telnetd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl
')
########################################
##
## Receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
dontaudit $1 telnetd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl
')
########################################
##
## Send and receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_server_packets'($*)) dnl
corenet_send_telnetd_server_packets($1)
corenet_receive_telnetd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive telnetd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl
corenet_dontaudit_send_telnetd_server_packets($1)
corenet_dontaudit_receive_telnetd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to telnetd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_telnetd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tftp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tftp_port'($*)) dnl
corenet_udp_send_tftp_port($1)
corenet_udp_receive_tftp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl
corenet_dontaudit_udp_send_tftp_port($1)
corenet_dontaudit_udp_receive_tftp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tftp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tftp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tftp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tftp_port'($*)) dnl
')
########################################
##
## Send tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
dontaudit $1 tftp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_client_packets'($*)) dnl
')
########################################
##
## Receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
dontaudit $1 tftp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl
')
########################################
##
## Send and receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_client_packets'($*)) dnl
corenet_send_tftp_client_packets($1)
corenet_receive_tftp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl
corenet_dontaudit_send_tftp_client_packets($1)
corenet_dontaudit_receive_tftp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tftp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tftp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_client_packets'($*)) dnl
')
########################################
##
## Send tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
dontaudit $1 tftp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_server_packets'($*)) dnl
')
########################################
##
## Receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
dontaudit $1 tftp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_server_packets'($*)) dnl
corenet_send_tftp_server_packets($1)
corenet_receive_tftp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl
corenet_dontaudit_send_tftp_server_packets($1)
corenet_dontaudit_receive_tftp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tftp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tftp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tomcat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tomcat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tomcat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
dontaudit $1 tomcat_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tomcat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tomcat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tomcat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
dontaudit $1 tomcat_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tomcat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tomcat_port'($*)) dnl
corenet_udp_send_tomcat_port($1)
corenet_udp_receive_tomcat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tomcat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tomcat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tomcat_port'($*)) dnl
corenet_dontaudit_udp_send_tomcat_port($1)
corenet_dontaudit_udp_receive_tomcat_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tomcat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tomcat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tomcat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tomcat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tomcat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tomcat_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tomcat_port'($*)) dnl
gen_require(`
type tomcat_port_t;
')
allow $1 tomcat_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tomcat_port'($*)) dnl
')
########################################
##
## Send tomcat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tomcat_client_packets'($*)) dnl
gen_require(`
type tomcat_client_packet_t;
')
allow $1 tomcat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tomcat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tomcat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tomcat_client_packets'($*)) dnl
gen_require(`
type tomcat_client_packet_t;
')
dontaudit $1 tomcat_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tomcat_client_packets'($*)) dnl
')
########################################
##
## Receive tomcat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tomcat_client_packets'($*)) dnl
gen_require(`
type tomcat_client_packet_t;
')
allow $1 tomcat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tomcat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tomcat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tomcat_client_packets'($*)) dnl
gen_require(`
type tomcat_client_packet_t;
')
dontaudit $1 tomcat_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tomcat_client_packets'($*)) dnl
')
########################################
##
## Send and receive tomcat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tomcat_client_packets'($*)) dnl
corenet_send_tomcat_client_packets($1)
corenet_receive_tomcat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tomcat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tomcat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tomcat_client_packets'($*)) dnl
corenet_dontaudit_send_tomcat_client_packets($1)
corenet_dontaudit_receive_tomcat_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tomcat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tomcat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tomcat_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tomcat_client_packets'($*)) dnl
gen_require(`
type tomcat_client_packet_t;
')
allow $1 tomcat_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tomcat_client_packets'($*)) dnl
')
########################################
##
## Send tomcat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tomcat_server_packets'($*)) dnl
gen_require(`
type tomcat_server_packet_t;
')
allow $1 tomcat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tomcat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tomcat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tomcat_server_packets'($*)) dnl
gen_require(`
type tomcat_server_packet_t;
')
dontaudit $1 tomcat_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tomcat_server_packets'($*)) dnl
')
########################################
##
## Receive tomcat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tomcat_server_packets'($*)) dnl
gen_require(`
type tomcat_server_packet_t;
')
allow $1 tomcat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tomcat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tomcat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tomcat_server_packets'($*)) dnl
gen_require(`
type tomcat_server_packet_t;
')
dontaudit $1 tomcat_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tomcat_server_packets'($*)) dnl
')
########################################
##
## Send and receive tomcat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tomcat_server_packets'($*)) dnl
corenet_send_tomcat_server_packets($1)
corenet_receive_tomcat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tomcat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tomcat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tomcat_server_packets'($*)) dnl
corenet_dontaudit_send_tomcat_server_packets($1)
corenet_dontaudit_receive_tomcat_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tomcat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tomcat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tomcat_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tomcat_server_packets'($*)) dnl
gen_require(`
type tomcat_server_packet_t;
')
allow $1 tomcat_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tomcat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tor_port'($*)) dnl
corenet_udp_send_tor_port($1)
corenet_udp_receive_tor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl
corenet_dontaudit_udp_send_tor_port($1)
corenet_dontaudit_udp_receive_tor_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tor_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tor_port'($*)) dnl
')
########################################
##
## Send tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
dontaudit $1 tor_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_client_packets'($*)) dnl
')
########################################
##
## Receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
dontaudit $1 tor_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_client_packets'($*)) dnl
')
########################################
##
## Send and receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_client_packets'($*)) dnl
corenet_send_tor_client_packets($1)
corenet_receive_tor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl
corenet_dontaudit_send_tor_client_packets($1)
corenet_dontaudit_receive_tor_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tor_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_client_packets'($*)) dnl
')
########################################
##
## Send tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
dontaudit $1 tor_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_server_packets'($*)) dnl
')
########################################
##
## Receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
dontaudit $1 tor_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_server_packets'($*)) dnl
')
########################################
##
## Send and receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_server_packets'($*)) dnl
corenet_send_tor_server_packets($1)
corenet_receive_tor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl
corenet_dontaudit_send_tor_server_packets($1)
corenet_dontaudit_receive_tor_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tor_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_traceroute_port'($*)) dnl
corenet_udp_send_traceroute_port($1)
corenet_udp_receive_traceroute_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl
corenet_dontaudit_udp_send_traceroute_port($1)
corenet_dontaudit_udp_receive_traceroute_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_traceroute_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_traceroute_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the traceroute port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_traceroute_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_traceroute_port'($*)) dnl
')
########################################
##
## Send traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send traceroute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
dontaudit $1 traceroute_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl
')
########################################
##
## Receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
dontaudit $1 traceroute_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl
')
########################################
##
## Send and receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_client_packets'($*)) dnl
corenet_send_traceroute_client_packets($1)
corenet_receive_traceroute_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive traceroute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl
corenet_dontaudit_send_traceroute_client_packets($1)
corenet_dontaudit_receive_traceroute_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to traceroute_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_traceroute_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_client_packets'($*)) dnl
')
########################################
##
## Send traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send traceroute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
dontaudit $1 traceroute_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl
')
########################################
##
## Receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
dontaudit $1 traceroute_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl
')
########################################
##
## Send and receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_server_packets'($*)) dnl
corenet_send_traceroute_server_packets($1)
corenet_receive_traceroute_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive traceroute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl
corenet_dontaudit_send_traceroute_server_packets($1)
corenet_dontaudit_receive_traceroute_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to traceroute_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_traceroute_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_transproxy_port'($*)) dnl
corenet_udp_send_transproxy_port($1)
corenet_udp_receive_transproxy_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl
corenet_dontaudit_udp_send_transproxy_port($1)
corenet_dontaudit_udp_receive_transproxy_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_transproxy_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_transproxy_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the transproxy port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_transproxy_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_transproxy_port'($*)) dnl
')
########################################
##
## Send transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send transproxy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
dontaudit $1 transproxy_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl
')
########################################
##
## Receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
dontaudit $1 transproxy_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl
')
########################################
##
## Send and receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_client_packets'($*)) dnl
corenet_send_transproxy_client_packets($1)
corenet_receive_transproxy_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive transproxy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl
corenet_dontaudit_send_transproxy_client_packets($1)
corenet_dontaudit_receive_transproxy_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to transproxy_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_transproxy_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_client_packets'($*)) dnl
')
########################################
##
## Send transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send transproxy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
dontaudit $1 transproxy_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl
')
########################################
##
## Receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
dontaudit $1 transproxy_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl
')
########################################
##
## Send and receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_server_packets'($*)) dnl
corenet_send_transproxy_server_packets($1)
corenet_receive_transproxy_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive transproxy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl
corenet_dontaudit_send_transproxy_server_packets($1)
corenet_dontaudit_receive_transproxy_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to transproxy_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_transproxy_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_uucpd_port'($*)) dnl
corenet_udp_send_uucpd_port($1)
corenet_udp_receive_uucpd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl
corenet_dontaudit_udp_send_uucpd_port($1)
corenet_dontaudit_udp_receive_uucpd_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_uucpd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_uucpd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the uucpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_uucpd_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_uucpd_port'($*)) dnl
')
########################################
##
## Send uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send uucpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
dontaudit $1 uucpd_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl
')
########################################
##
## Receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
dontaudit $1 uucpd_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl
')
########################################
##
## Send and receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_client_packets'($*)) dnl
corenet_send_uucpd_client_packets($1)
corenet_receive_uucpd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive uucpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl
corenet_dontaudit_send_uucpd_client_packets($1)
corenet_dontaudit_receive_uucpd_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to uucpd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_uucpd_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_client_packets'($*)) dnl
')
########################################
##
## Send uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send uucpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
dontaudit $1 uucpd_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl
')
########################################
##
## Receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
dontaudit $1 uucpd_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_server_packets'($*)) dnl
corenet_send_uucpd_server_packets($1)
corenet_receive_uucpd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive uucpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl
corenet_dontaudit_send_uucpd_server_packets($1)
corenet_dontaudit_receive_uucpd_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to uucpd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_uucpd_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_port'($*)) dnl
corenet_udp_send_virt_port($1)
corenet_udp_receive_virt_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl
corenet_dontaudit_udp_send_virt_port($1)
corenet_dontaudit_udp_receive_virt_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the virt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_virt_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_port'($*)) dnl
')
########################################
##
## Send virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
dontaudit $1 virt_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_client_packets'($*)) dnl
')
########################################
##
## Receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
dontaudit $1 virt_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_client_packets'($*)) dnl
')
########################################
##
## Send and receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_client_packets'($*)) dnl
corenet_send_virt_client_packets($1)
corenet_receive_virt_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl
corenet_dontaudit_send_virt_client_packets($1)
corenet_dontaudit_receive_virt_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_client_packets'($*)) dnl
')
########################################
##
## Send virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
dontaudit $1 virt_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_server_packets'($*)) dnl
')
########################################
##
## Receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
dontaudit $1 virt_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_server_packets'($*)) dnl
')
########################################
##
## Send and receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_server_packets'($*)) dnl
corenet_send_virt_server_packets($1)
corenet_receive_virt_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl
corenet_dontaudit_send_virt_server_packets($1)
corenet_dontaudit_receive_virt_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vnc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vnc_port'($*)) dnl
corenet_udp_send_vnc_port($1)
corenet_udp_receive_vnc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl
corenet_dontaudit_udp_send_vnc_port($1)
corenet_dontaudit_udp_receive_vnc_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vnc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vnc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the vnc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_vnc_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vnc_port'($*)) dnl
')
########################################
##
## Send vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vnc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
dontaudit $1 vnc_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_client_packets'($*)) dnl
')
########################################
##
## Receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
dontaudit $1 vnc_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl
')
########################################
##
## Send and receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_client_packets'($*)) dnl
corenet_send_vnc_client_packets($1)
corenet_receive_vnc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vnc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl
corenet_dontaudit_send_vnc_client_packets($1)
corenet_dontaudit_receive_vnc_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to vnc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vnc_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_client_packets'($*)) dnl
')
########################################
##
## Send vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vnc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
dontaudit $1 vnc_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_server_packets'($*)) dnl
')
########################################
##
## Receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
dontaudit $1 vnc_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl
')
########################################
##
## Send and receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_server_packets'($*)) dnl
corenet_send_vnc_server_packets($1)
corenet_receive_vnc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vnc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl
corenet_dontaudit_send_vnc_server_packets($1)
corenet_dontaudit_receive_vnc_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to vnc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vnc_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wccp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wccp_port'($*)) dnl
corenet_udp_send_wccp_port($1)
corenet_udp_receive_wccp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl
corenet_dontaudit_udp_send_wccp_port($1)
corenet_dontaudit_udp_receive_wccp_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wccp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wccp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the wccp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_wccp_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wccp_port'($*)) dnl
')
########################################
##
## Send wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wccp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
dontaudit $1 wccp_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_client_packets'($*)) dnl
')
########################################
##
## Receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
dontaudit $1 wccp_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl
')
########################################
##
## Send and receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_client_packets'($*)) dnl
corenet_send_wccp_client_packets($1)
corenet_receive_wccp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wccp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl
corenet_dontaudit_send_wccp_client_packets($1)
corenet_dontaudit_receive_wccp_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to wccp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wccp_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_client_packets'($*)) dnl
')
########################################
##
## Send wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wccp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
dontaudit $1 wccp_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_server_packets'($*)) dnl
')
########################################
##
## Receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
dontaudit $1 wccp_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl
')
########################################
##
## Send and receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_server_packets'($*)) dnl
corenet_send_wccp_server_packets($1)
corenet_receive_wccp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wccp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl
corenet_dontaudit_send_wccp_server_packets($1)
corenet_dontaudit_receive_wccp_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to wccp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wccp_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xen_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xen_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xen_port'($*)) dnl
corenet_udp_send_xen_port($1)
corenet_udp_receive_xen_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl
corenet_dontaudit_udp_send_xen_port($1)
corenet_dontaudit_udp_receive_xen_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xen_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xen_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xen port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xen_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xen_port'($*)) dnl
')
########################################
##
## Send xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xen_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
dontaudit $1 xen_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_client_packets'($*)) dnl
')
########################################
##
## Receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
dontaudit $1 xen_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_client_packets'($*)) dnl
')
########################################
##
## Send and receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_client_packets'($*)) dnl
corenet_send_xen_client_packets($1)
corenet_receive_xen_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xen_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl
corenet_dontaudit_send_xen_client_packets($1)
corenet_dontaudit_receive_xen_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xen_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xen_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_client_packets'($*)) dnl
')
########################################
##
## Send xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xen_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
dontaudit $1 xen_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_server_packets'($*)) dnl
')
########################################
##
## Receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
dontaudit $1 xen_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_server_packets'($*)) dnl
')
########################################
##
## Send and receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_server_packets'($*)) dnl
corenet_send_xen_server_packets($1)
corenet_receive_xen_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xen_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl
corenet_dontaudit_send_xen_server_packets($1)
corenet_dontaudit_receive_xen_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xen_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xen_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xfs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xfs_port'($*)) dnl
corenet_udp_send_xfs_port($1)
corenet_udp_receive_xfs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl
corenet_dontaudit_udp_send_xfs_port($1)
corenet_dontaudit_udp_receive_xfs_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xfs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xfs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xfs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xfs_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xfs_port'($*)) dnl
')
########################################
##
## Send xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
dontaudit $1 xfs_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_client_packets'($*)) dnl
')
########################################
##
## Receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
dontaudit $1 xfs_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl
')
########################################
##
## Send and receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_client_packets'($*)) dnl
corenet_send_xfs_client_packets($1)
corenet_receive_xfs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl
corenet_dontaudit_send_xfs_client_packets($1)
corenet_dontaudit_receive_xfs_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xfs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xfs_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_client_packets'($*)) dnl
')
########################################
##
## Send xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
dontaudit $1 xfs_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_server_packets'($*)) dnl
')
########################################
##
## Receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
dontaudit $1 xfs_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_server_packets'($*)) dnl
corenet_send_xfs_server_packets($1)
corenet_receive_xfs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl
corenet_dontaudit_send_xfs_server_packets($1)
corenet_dontaudit_receive_xfs_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xfs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xfs_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xserver_port'($*)) dnl
corenet_udp_send_xserver_port($1)
corenet_udp_receive_xserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl
corenet_dontaudit_udp_send_xserver_port($1)
corenet_dontaudit_udp_receive_xserver_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xserver_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xserver_port'($*)) dnl
')
########################################
##
## Send xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
dontaudit $1 xserver_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_client_packets'($*)) dnl
')
########################################
##
## Receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
dontaudit $1 xserver_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_client_packets'($*)) dnl
corenet_send_xserver_client_packets($1)
corenet_receive_xserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl
corenet_dontaudit_send_xserver_client_packets($1)
corenet_dontaudit_receive_xserver_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xserver_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_client_packets'($*)) dnl
')
########################################
##
## Send xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
dontaudit $1 xserver_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_server_packets'($*)) dnl
')
########################################
##
## Receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
dontaudit $1 xserver_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_server_packets'($*)) dnl
corenet_send_xserver_server_packets($1)
corenet_receive_xserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl
corenet_dontaudit_send_xserver_server_packets($1)
corenet_dontaudit_receive_xserver_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xserver_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zebra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zebra_port'($*)) dnl
corenet_udp_send_zebra_port($1)
corenet_udp_receive_zebra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl
corenet_dontaudit_udp_send_zebra_port($1)
corenet_dontaudit_udp_receive_zebra_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zebra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zebra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zebra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zebra_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zebra_port'($*)) dnl
')
########################################
##
## Send zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zebra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
dontaudit $1 zebra_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_client_packets'($*)) dnl
')
########################################
##
## Receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
dontaudit $1 zebra_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl
')
########################################
##
## Send and receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_client_packets'($*)) dnl
corenet_send_zebra_client_packets($1)
corenet_receive_zebra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zebra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl
corenet_dontaudit_send_zebra_client_packets($1)
corenet_dontaudit_receive_zebra_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zebra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zebra_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_client_packets'($*)) dnl
')
########################################
##
## Send zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zebra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
dontaudit $1 zebra_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_server_packets'($*)) dnl
')
########################################
##
## Receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
dontaudit $1 zebra_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl
')
########################################
##
## Send and receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_server_packets'($*)) dnl
corenet_send_zebra_server_packets($1)
corenet_receive_zebra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zebra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl
corenet_dontaudit_send_zebra_server_packets($1)
corenet_dontaudit_receive_zebra_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zebra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zebra_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket { send_msg recv_msg };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:udp_socket send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zope_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:udp_socket recv_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zope_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zope_port'($*)) dnl
corenet_udp_send_zope_port($1)
corenet_udp_receive_zope_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl
corenet_dontaudit_udp_send_zope_port($1)
corenet_dontaudit_udp_receive_zope_port($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zope_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket name_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zope_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zope port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zope_port',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket name_connect;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zope_port'($*)) dnl
')
########################################
##
## Send zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zope_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
dontaudit $1 zope_client_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_client_packets'($*)) dnl
')
########################################
##
## Receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
dontaudit $1 zope_client_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_client_packets'($*)) dnl
')
########################################
##
## Send and receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_client_packets'($*)) dnl
corenet_send_zope_client_packets($1)
corenet_receive_zope_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zope_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl
corenet_dontaudit_send_zope_client_packets($1)
corenet_dontaudit_receive_zope_client_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zope_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zope_client_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_client_packets'($*)) dnl
')
########################################
##
## Send zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zope_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
dontaudit $1 zope_server_packet_t:packet send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_server_packets'($*)) dnl
')
########################################
##
## Receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
dontaudit $1 zope_server_packet_t:packet recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_server_packets'($*)) dnl
')
########################################
##
## Send and receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_server_packets'($*)) dnl
corenet_send_zope_server_packets($1)
corenet_receive_zope_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zope_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl
corenet_dontaudit_send_zope_server_packets($1)
corenet_dontaudit_receive_zope_server_packets($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zope_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zope_server_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_compat_ipv4_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_compat_ipv4_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_compat_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_compat_ipv4_node'($*)) dnl
corenet_udp_send_compat_ipv4_node($1)
corenet_udp_receive_compat_ipv4_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_compat_ipv4_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_compat_ipv4_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_compat_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_compat_ipv4_node'($*)) dnl
corenet_raw_send_compat_ipv4_node($1)
corenet_raw_receive_compat_ipv4_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_compat_ipv4_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node compat_ipv4.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_compat_ipv4_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the compat_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_compat_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_compat_ipv4_node'($*)) dnl
gen_require(`
type compat_ipv4_node_t;
')
allow $1 compat_ipv4_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_compat_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_inaddr_any_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_inaddr_any_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_inaddr_any_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_inaddr_any_node'($*)) dnl
corenet_udp_send_inaddr_any_node($1)
corenet_udp_receive_inaddr_any_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_inaddr_any_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_inaddr_any_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_inaddr_any_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_inaddr_any_node'($*)) dnl
corenet_raw_send_inaddr_any_node($1)
corenet_raw_receive_inaddr_any_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_inaddr_any_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node inaddr_any.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_inaddr_any_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the inaddr_any node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_inaddr_any_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_inaddr_any_node'($*)) dnl
gen_require(`
type inaddr_any_node_t;
')
allow $1 inaddr_any_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_inaddr_any_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_link_local_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_link_local_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_link_local_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_link_local_node'($*)) dnl
corenet_udp_send_link_local_node($1)
corenet_udp_receive_link_local_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_link_local_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_link_local_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_link_local_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_link_local_node'($*)) dnl
corenet_raw_send_link_local_node($1)
corenet_raw_receive_link_local_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_link_local_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node link_local.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_link_local_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the link_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_link_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_link_local_node'($*)) dnl
gen_require(`
type link_local_node_t;
')
allow $1 link_local_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_link_local_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lo_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lo_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lo_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lo_node'($*)) dnl
corenet_udp_send_lo_node($1)
corenet_udp_receive_lo_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lo_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_lo_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_lo_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_lo_node'($*)) dnl
corenet_raw_send_lo_node($1)
corenet_raw_receive_lo_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_lo_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node lo.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lo_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lo node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lo_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lo_node'($*)) dnl
gen_require(`
type lo_node_t;
')
allow $1 lo_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lo_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mapped_ipv4_node'($*)) dnl
corenet_udp_send_mapped_ipv4_node($1)
corenet_udp_receive_mapped_ipv4_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_mapped_ipv4_node'($*)) dnl
corenet_raw_send_mapped_ipv4_node($1)
corenet_raw_receive_mapped_ipv4_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node mapped_ipv4.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mapped_ipv4 node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mapped_ipv4_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mapped_ipv4_node'($*)) dnl
gen_require(`
type mapped_ipv4_node_t;
')
allow $1 mapped_ipv4_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mapped_ipv4_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_multicast_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_multicast_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_multicast_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_multicast_node'($*)) dnl
corenet_udp_send_multicast_node($1)
corenet_udp_receive_multicast_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_multicast_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_multicast_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_multicast_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_multicast_node'($*)) dnl
corenet_raw_send_multicast_node($1)
corenet_raw_receive_multicast_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_multicast_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node multicast.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_multicast_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the multicast node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_multicast_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_multicast_node'($*)) dnl
gen_require(`
type multicast_node_t;
')
allow $1 multicast_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_multicast_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_site_local_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_site_local_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_site_local_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_site_local_node'($*)) dnl
corenet_udp_send_site_local_node($1)
corenet_udp_receive_site_local_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_site_local_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_site_local_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_site_local_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_site_local_node'($*)) dnl
corenet_raw_send_site_local_node($1)
corenet_raw_receive_site_local_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_site_local_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node site_local.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_site_local_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the site_local node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_site_local_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_site_local_node'($*)) dnl
gen_require(`
type site_local_node_t;
')
allow $1 site_local_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_site_local_node'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:node { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_unspec_node'($*)) dnl
')
########################################
##
## Send UDP traffic on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:node udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_unspec_node'($*)) dnl
')
########################################
##
## Receive UDP traffic on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:node udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_unspec_node'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_unspec_node'($*)) dnl
corenet_udp_send_unspec_node($1)
corenet_udp_receive_unspec_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_unspec_node'($*)) dnl
')
########################################
##
## Send raw IP packets on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:node rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_unspec_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:node rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_unspec_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_unspec_node'($*)) dnl
corenet_raw_send_unspec_node($1)
corenet_raw_receive_unspec_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_unspec_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to node unspec.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:tcp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_unspec_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to the unspec node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_unspec_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_unspec_node'($*)) dnl
gen_require(`
type unspec_node_t;
')
allow $1 unspec_node_t:udp_socket node_bind;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_unspec_node'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { tcp_send tcp_recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lo_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif udp_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lo_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif udp_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lo_if'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lo_if'($*)) dnl
corenet_udp_send_lo_if($1)
corenet_udp_receive_lo_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lo_if'($*)) dnl
')
########################################
##
## Send raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif rawip_send;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_lo_if'($*)) dnl
')
########################################
##
## Receive raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif rawip_recv;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_lo_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_lo_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_lo_if'($*)) dnl
corenet_raw_send_lo_if($1)
corenet_raw_receive_lo_if($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_lo_if'($*)) dnl
')
##
## Device nodes and interfaces for many basic system devices.
##
##
##
## This module creates the device node concept and provides
## the policy for many of the device files. Notable exceptions are
## the mass storage and terminal devices that are covered by other
## modules.
##
##
## This module creates the concept of a device node. That is a
## char or block device file, usually in /dev. All types that
## are used to label device nodes should use the dev_node macro.
##
##
## Additionally, this module controls access to three things:
##
## - the device directories containing device nodes
## - device nodes as a group
## - individual access to specific device nodes covered by
## this module.
##
##
##
##
## Depended on by other required modules.
##
########################################
##
## Make the passed in type a type appropriate for
## use on device nodes (usually files in /dev).
##
##
##
## The object type that will be used on device nodes.
##
##
#
define(`dev_node',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_node'($*)) dnl
gen_require(`
attribute device_node;
')
typeattribute $1 device_node;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_node'($*)) dnl
')
########################################
##
## Allow full relabeling (to and from) of all device nodes.
##
##
##
## Domain allowed to relabel.
##
##
##
#
define(`dev_relabel_all_dev_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_nodes'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
relabelfrom_dirs_pattern($1,device_t,device_node)
relabelfrom_files_pattern($1,device_t,device_node)
relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node })
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
relabel_chr_files_pattern($1,device_t,{ device_t device_node })
allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_nodes'($*)) dnl
')
########################################
##
## List all of the device nodes in a device directory.
##
##
##
## Domain allowed to list device nodes.
##
##
#
define(`dev_list_all_dev_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_list_all_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_list_all_dev_nodes'($*)) dnl
')
########################################
##
## Set the attributes of /dev directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_generic_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_generic_dirs'($*)) dnl
')
########################################
##
## Dontaudit attempts to list all device nodes.
##
##
##
## Domain to dontaudit listing of device nodes.
##
##
#
define(`dev_dontaudit_list_all_dev_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_list_all_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_list_all_dev_nodes'($*)) dnl
')
########################################
##
## Create a directory in the device directory.
##
##
##
## Domain allowed to create the directory.
##
##
#
define(`dev_create_generic_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir { ra_dir_perms create };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_dirs'($*)) dnl
')
########################################
##
## Delete a directory in the device directory.
##
##
##
## Domain allowed to create the directory.
##
##
#
define(`dev_delete_generic_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir { del_entry_dir_perms rmdir };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_dirs'($*)) dnl
')
########################################
##
## Allow full relabeling (to and from) of directories in /dev.
##
##
##
## Domain allowed to relabel.
##
##
#
define(`dev_relabel_generic_dev_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_dev_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_generic_dev_dirs'($*)) dnl
')
########################################
##
## dontaudit getattr generic files in /dev.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_generic_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_files'($*)) dnl
')
########################################
##
## Read and write generic files in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir search;
allow $1 device_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_files'($*)) dnl
')
########################################
##
## Delete generic files in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir { search write remove_name };
allow $1 device_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_files'($*)) dnl
')
########################################
##
## Create a file in the device directory.
##
##
##
## Domain allowed to create the files.
##
##
#
define(`dev_manage_generic_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on generic pipes.
##
##
##
## Domain to dontaudit.
##
##
#
define(`dev_dontaudit_getattr_generic_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_pipes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_pipes'($*)) dnl
')
########################################
##
## Allow getattr on generic block devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_blk_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on generic block devices.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_getattr_generic_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_blk_files'($*)) dnl
')
########################################
##
## Dontaudit setattr on generic block devices.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_setattr_generic_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_blk_files'($*)) dnl
')
########################################
##
## Allow read, write, and create for generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create;
allow $1 self:capability mknod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_chr_files'($*)) dnl
')
########################################
##
## Allow getattr for generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_chr_files'($*)) dnl
')
########################################
##
## Dontaudit getattr for generic character device files.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_getattr_generic_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_chr_files'($*)) dnl
')
########################################
##
## Dontaudit setattr for generic character device files.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_setattr_generic_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_chr_files'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_generic_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:lnk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_symlinks'($*)) dnl
')
########################################
##
## Create symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
allow $1 device_t:lnk_file create;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_symlinks'($*)) dnl
')
########################################
##
## Delete symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir del_entry_dir_perms;
allow $1 device_t:lnk_file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_symlinks'($*)) dnl
')
########################################
##
## Create, delete, read, and write symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_symlinks'($*)) dnl
')
########################################
##
## Relabel symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_generic_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_generic_symlinks'($*)) dnl
')
########################################
##
## Create, delete, read, and write device nodes in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_dev_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_dev_nodes'($*)) dnl
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
')
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
typeattribute $1 memory_raw_read;
typeattribute $1 memory_raw_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_dev_nodes'($*)) dnl
')
########################################
##
## Dontaudit getattr for generic device files.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_rw_generic_dev_nodes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl
')
########################################
##
## Create, delete, read, and write block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:blk_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_blk_files'($*)) dnl
')
########################################
##
## Create, delete, read, and write character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:chr_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_chr_files'($*)) dnl
')
########################################
##
## Create, read, and write device nodes. The node
## will be transitioned to the type provided.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
#
define(`dev_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir rw_dir_perms;
type_transition $1 device_t:$3 $2;
fs_associate_tmpfs($2)
files_associate_tmp($2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans'($*)) dnl
')
########################################
##
## Getattr on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_getattr_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_node:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on all block file device nodes.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_getattr_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file getattr;
dev_dontaudit_getattr_generic_blk_files($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Getattr on all character file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_getattr_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_node:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on all character file device nodes.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_getattr_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file getattr;
dev_dontaudit_getattr_generic_chr_files($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Setattr on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_setattr_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_all_blk_files'($*)) dnl
')
########################################
##
## Setattr on all character file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_setattr_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_all_chr_files'($*)) dnl
')
########################################
##
## Dontaudit read on all block file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_blk_files'($*)) dnl
')
########################################
##
## Dontaudit read on all character file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_chr_files'($*)) dnl
')
########################################
##
## Create all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 self:capability mknod;
allow $1 device_t:dir add_entry_dir_perms;
allow $1 device_node:blk_file create;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_all_blk_files'($*)) dnl
')
########################################
##
## Create all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 self:capability mknod;
allow $1 device_t:dir add_entry_dir_perms;
allow $1 device_node:chr_file create;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_all_chr_files'($*)) dnl
')
########################################
##
## Delete all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir del_entry_dir_perms;
allow $1 device_node:blk_file delete_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_all_blk_files'($*)) dnl
')
########################################
##
## Delete all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir del_entry_dir_perms;
allow $1 device_node:chr_file delete_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_all_chr_files'($*)) dnl
')
########################################
##
## Rename all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:blk_file rename;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_all_blk_files'($*)) dnl
')
########################################
##
## Rename all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:chr_file rename;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_all_chr_files'($*)) dnl
')
########################################
##
## Read, write, create, and delete all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:blk_file create_file_perms;
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_blk_files'($*)) dnl
')
########################################
##
## Read, write, create, and delete all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_chr_files'($*)) dnl
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:chr_file create_file_perms;
typeattribute $1 memory_raw_read, memory_raw_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_chr_files'($*)) dnl
')
########################################
##
## Getattr the agp devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_agp_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_agp_dev'($*)) dnl
gen_require(`
type device_t, agp_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_agp_dev'($*)) dnl
')
########################################
##
## Read and write the agp devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_agp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_agp'($*)) dnl
gen_require(`
type device_t, agp_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_agp'($*)) dnl
')
########################################
##
## Get the attributes of the apm bios device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_apm_bios_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_apm_bios_dev'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## the apm bios device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_apm_bios_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Set the attributes of the apm bios device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_apm_bios_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_apm_bios_dev'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of
## the apm bios device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_apm_bios_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Read and write the apm bios.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_apm_bios',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_apm_bios'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_apm_bios'($*)) dnl
')
########################################
##
## Read and write the PCMCIA card manager device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_cardmgr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_cardmgr'($*)) dnl
gen_require(`
type cardmgr_dev_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 cardmgr_dev_t:chr_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_cardmgr'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the PCMCIA card manager device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_cardmgr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_cardmgr'($*)) dnl
gen_require(`
type cardmgr_dev_t;
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_cardmgr'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## the PCMCIA card manager device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_cardmgr_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_cardmgr_dev'($*)) dnl
gen_require(`
type device_t, cardmgr_dev_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_cardmgr_dev'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## the PCMCIA card manager device
## with the correct type.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_cardmgr_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_cardmgr_dev'($*)) dnl
gen_require(`
type device_t, cardmgr_dev_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_cardmgr_dev'($*)) dnl
')
########################################
##
## Get the attributes of the CPU
## microcode and id interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_cpu_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_cpu_dev'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
allow $1 device_t:dir search;
allow $1 cpu_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_cpu_dev'($*)) dnl
')
########################################
##
## Read the CPU identity.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_cpuid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_cpuid'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_cpuid'($*)) dnl
')
########################################
##
## Read and write the the CPU microcode device. This
## is required to load CPU microcode.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_cpu_microcode',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_cpu_microcode'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_cpu_microcode'($*)) dnl
')
########################################
##
## Read and write the the hardware SSL accelerator.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_crypto',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_crypto'($*)) dnl
gen_require(`
type device_t, crypt_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 crypt_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_crypto'($*)) dnl
')
########################################
##
## getattr the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_dri_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_dri_dev'($*)) dnl
')
########################################
##
## Setattr the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_dri_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_dri_dev'($*)) dnl
')
########################################
##
## Read and write the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_dri',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_dri'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_dri'($*)) dnl
')
########################################
##
## Dontaudit read and write on the dri devices.
##
##
##
## Domain to dontaudit access.
##
##
#
define(`dev_dontaudit_rw_dri',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_dri'($*)) dnl
gen_require(`
type dri_device_t;
')
dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_dri'($*)) dnl
')
########################################
##
## Create, read, write, and delete the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_dri_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 dri_device_t:chr_file manage_file_perms;
type_transition $1 device_t:chr_file dri_device_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_dri_dev'($*)) dnl
')
########################################
##
## Get the attributes of the event devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_event_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_event_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_event_dev'($*)) dnl
')
########################################
##
## Set the attributes of the event devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_event_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_event_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_event_dev'($*)) dnl
')
########################################
##
## Read input event devices (/dev/input).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_input',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_input'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_input'($*)) dnl
')
########################################
##
## Read input event devices (/dev/input).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_input_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_input_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_input_dev'($*)) dnl
')
########################################
##
## Get the attributes of the framebuffer device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_framebuffer_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_framebuffer_dev'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Set the attributes of the framebuffer device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_framebuffer_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_framebuffer_dev'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Dot not audit attempts to set the attributes
## of the framebuffer device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_framebuffer_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Read the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_framebuffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_framebuffer'($*)) dnl
gen_require(`
type framebuf_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_framebuffer'($*)) dnl
')
########################################
##
## Do not audit attempts to read the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_read_framebuffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_framebuffer'($*)) dnl
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_framebuffer'($*)) dnl
')
########################################
##
## Write the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_framebuffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_framebuffer'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_framebuffer'($*)) dnl
')
########################################
##
## Read and write the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_framebuffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_framebuffer'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_framebuffer'($*)) dnl
')
########################################
##
## Read the lvm comtrol device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_lvm_control',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_lvm_control'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_lvm_control'($*)) dnl
')
########################################
##
## Read and write the lvm control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_lvm_control',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_lvm_control'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_lvm_control'($*)) dnl
')
########################################
##
## Delete the lvm control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_lvm_control_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_lvm_control_dev'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
allow $1 device_t:dir { getattr search read write remove_name };
allow $1 lvm_control_t:chr_file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_lvm_control_dev'($*)) dnl
')
########################################
##
## dontaudit getattr raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_getattr_memory_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_memory_dev'($*)) dnl
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_memory_dev'($*)) dnl
')
########################################
##
## Read raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_raw_memory',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file r_file_perms;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_raw_memory'($*)) dnl
')
########################################
##
## Write raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_raw_memory',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_raw_memory'($*)) dnl
')
########################################
##
## Read and execute raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rx_raw_memory',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rx_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rx_raw_memory'($*)) dnl
')
########################################
##
## Write and execute raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_wx_raw_memory',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_wx_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_wx_raw_memory'($*)) dnl
')
########################################
##
## Get the attributes of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_misc_dev'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_misc_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_getattr_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_misc_dev'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_misc_dev'($*)) dnl
')
########################################
##
## Set the attributes of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_misc_dev'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_misc_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_setattr_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_misc_dev'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_misc_dev'($*)) dnl
')
########################################
##
## Read miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_misc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_misc'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_misc'($*)) dnl
')
########################################
##
## Write miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_misc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_misc'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_misc'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_rw_misc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_misc'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_misc'($*)) dnl
')
########################################
##
## Get the attributes of the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_mouse_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_mouse_dev'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_mouse_dev'($*)) dnl
')
########################################
##
## Set the attributes of the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_mouse_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_mouse_dev'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_mouse_dev'($*)) dnl
')
########################################
##
## Read the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_mouse',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_mouse'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_mouse'($*)) dnl
')
########################################
##
## Read and write to mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_mouse',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_mouse'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_mouse'($*)) dnl
')
########################################
##
## Get the attributes of the memory type range
## registers (MTRR) device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_mtrr_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_mtrr_dev'($*)) dnl
gen_require(`
type device_t, mtrr_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:{ file chr_file } getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_mtrr_dev'($*)) dnl
')
########################################
##
## Read the memory type range
## registers (MTRR). (Deprecated)
##
##
##
## Read the memory type range
## registers (MTRR). This interface has
## been deprecated, dev_rw_mtrr() should be
## used instead.
##
##
## The MTRR device ioctls can be used for
## reading and writing; thus, read access to the
## device cannot be separated from write access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_mtrr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_mtrr'($*)) dnl
refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_mtrr'($*)) dnl
')
########################################
##
## Write the memory type range
## registers (MTRR). (Deprecated)
##
##
##
## Write the memory type range
## registers (MTRR). This interface has
## been deprecated, dev_rw_mtrr() should be
## used instead.
##
##
## The MTRR device ioctls can be used for
## reading and writing; thus, write access to the
## device cannot be separated from read access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_mtrr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_mtrr'($*)) dnl
refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_mtrr'($*)) dnl
')
########################################
##
## Read and write the memory type range registers (MTRR).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_mtrr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_mtrr'($*)) dnl
gen_require(`
type device_t, mtrr_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:{ file chr_file } rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_mtrr'($*)) dnl
')
########################################
##
## Read and write to the null device (/dev/null).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_null',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_null'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
rw_chr_files_pattern($1,device_t,null_device_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_null'($*)) dnl
')
########################################
##
## Create the null device (/dev/null).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_null_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_null_dev'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
allow $1 null_device_t:chr_file create;
allow $1 self:capability mknod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_null_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_getattr_nvram_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_nvram_dev'($*)) dnl
gen_require(`
type nvram_device_t;
')
dontaudit $1 nvram_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_nvram_dev'($*)) dnl
')
########################################
##
## Read and write BIOS non-volatile RAM.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_nvram',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_nvram'($*)) dnl
gen_require(`
type nvram_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 nvram_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_nvram'($*)) dnl
')
########################################
##
## Get the attributes of the printer device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_printer_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_printer_dev'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 printer_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_printer_dev'($*)) dnl
')
########################################
##
## Set the attributes of the printer device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_printer_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_printer_dev'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 printer_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_printer_dev'($*)) dnl
')
########################################
##
## Append the printer device.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for lpd/checkpc_t
define(`dev_append_printer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_append_printer'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
allow $1 device_t:dir search;
allow $1 printer_device_t:chr_file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_append_printer'($*)) dnl
')
########################################
##
## Read and write the printer device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_printer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_printer'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
allow $1 device_t:dir search;
allow $1 printer_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_printer'($*)) dnl
')
########################################
##
## Read from random number generator
## devices (e.g., /dev/random)
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_rand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_rand'($*)) dnl
gen_require(`
type device_t, random_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_rand'($*)) dnl
')
########################################
##
## Do not audit attempts to read from random
## number generator devices (e.g., /dev/random)
##
##
##
## Domain allowed access.
##
##
#
define(`dev_dontaudit_read_rand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_rand'($*)) dnl
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_rand'($*)) dnl
')
########################################
##
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_rand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_rand'($*)) dnl
gen_require(`
type device_t, random_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_rand'($*)) dnl
')
########################################
##
## Read the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_realtime_clock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_realtime_clock'($*)) dnl
gen_require(`
type device_t, clock_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_realtime_clock'($*)) dnl
')
########################################
##
## Set the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_realtime_clock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_realtime_clock'($*)) dnl
gen_require(`
type device_t, clock_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_realtime_clock'($*)) dnl
')
########################################
##
## Read and set the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_realtime_clock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_realtime_clock'($*)) dnl
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_realtime_clock'($*)) dnl
')
########################################
##
## Get the attributes of the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_scanner_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_scanner_dev'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_scanner_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## the scanner device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_scanner_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_scanner_dev'($*)) dnl
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_scanner_dev'($*)) dnl
')
########################################
##
## Set the attributes of the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_scanner_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_scanner_dev'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_scanner_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of
## the scanner device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_scanner_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_scanner_dev'($*)) dnl
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_scanner_dev'($*)) dnl
')
########################################
##
## Read and write the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_scanner',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_scanner'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_scanner'($*)) dnl
')
########################################
##
## Get the attributes of the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_sound_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_sound_dev'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_sound_dev'($*)) dnl
')
########################################
##
## Set the attributes of the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_sound_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_sound_dev'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_sound_dev'($*)) dnl
')
########################################
##
## Read the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_sound',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sound'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sound'($*)) dnl
')
########################################
##
## Write the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_sound',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sound'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sound'($*)) dnl
')
########################################
##
## Read the sound mixer devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_sound_mixer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sound_mixer'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sound_mixer'($*)) dnl
')
########################################
##
## Write the sound mixer devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_sound_mixer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sound_mixer'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sound_mixer'($*)) dnl
')
########################################
##
## Get the attributes of the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_power_mgmt_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_power_mgmt_dev'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_power_mgmt_dev'($*)) dnl
')
########################################
##
## Set the attributes of the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_power_mgmt_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_power_mgmt_dev'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_power_mgmt_dev'($*)) dnl
')
########################################
##
## Read and write the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_power_management',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_power_management'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_power_management'($*)) dnl
')
########################################
##
## Get the attributes of sysfs directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_getattr_sysfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_dirs'($*)) dnl
')
########################################
##
## Search the sysfs directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_search_sysfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_search_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_search_sysfs'($*)) dnl
')
########################################
##
## Do not audit attempts to search sysfs.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_dontaudit_search_sysfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_search_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_search_sysfs'($*)) dnl
')
########################################
##
## List the contents of the sysfs directories.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_list_sysfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_list_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_list_sysfs'($*)) dnl
')
########################################
##
## Allow caller to read hardware state information.
##
##
##
## The process type reading hardware state information.
##
##
#
define(`dev_read_sysfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sysfs'($*)) dnl
')
########################################
##
## Write in a sysfs directories.
##
##
##
## The type of the process performing this action.
##
##
#
# cjp: added for cpuspeed
define(`dev_write_sysfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sysfs_dirs'($*)) dnl
')
########################################
##
## Allow caller to modify hardware state information.
##
##
##
## The process type modifying hardware state information.
##
##
#
define(`dev_rw_sysfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir r_dir_perms;
allow $1 sysfs_t:lnk_file r_file_perms;
allow $1 sysfs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_sysfs'($*)) dnl
')
########################################
##
## Read from pseudo random devices (e.g., /dev/urandom)
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_urand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_urand'($*)) dnl
gen_require(`
type device_t, urandom_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_urand'($*)) dnl
')
########################################
##
## Do not audit attempts to read from pseudo
## random devices (e.g., /dev/urandom)
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_urand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_urand'($*)) dnl
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_urand'($*)) dnl
')
########################################
##
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_urand',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_urand'($*)) dnl
gen_require(`
type device_t, urandom_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_urand'($*)) dnl
')
########################################
##
## Getattr generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_usb_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_usb_dev'($*)) dnl
')
########################################
##
## Setattr generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_generic_usb_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_generic_usb_dev'($*)) dnl
')
########################################
##
## Read and write generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_usb_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_usb_dev'($*)) dnl
')
########################################
##
## Read and write generic the USB fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_usb_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_usb_pipes'($*)) dnl
gen_require(`
type usb_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_usb_pipes'($*)) dnl
')
########################################
##
## Get the attributes of a directory in the usb filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_search_usbfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_search_usbfs_dirs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_search_usbfs_dirs'($*)) dnl
')
########################################
##
## Mount a usbfs filesystem.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_mount_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_mount_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_mount_usbfs'($*)) dnl
')
########################################
##
## Associate a file to a usbfs filesystem.
##
##
##
## The type of the file to be associated to usbfs.
##
##
#
define(`dev_associate_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_associate_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem associate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_associate_usbfs'($*)) dnl
')
########################################
##
## Get the attributes of a directory in the usb filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_usbfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_usbfs_dirs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_usbfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_usbfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl
gen_require(`
type usbfs_t;
')
dontaudit $1 usbfs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl
')
########################################
##
## Search the directory containing USB hardware information.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_search_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_search_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_search_usbfs'($*)) dnl
')
########################################
##
## Allow caller to get a list of usb hardware.
##
##
##
## The process type getting the list.
##
##
#
define(`dev_list_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_list_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_list_usbfs'($*)) dnl
')
########################################
##
## Set the attributes of usbfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_usbfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_usbfs_files'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_usbfs_files'($*)) dnl
')
########################################
##
## Read USB hardware information using
## the usbfs filesystem interface.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dev_read_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_usbfs'($*)) dnl
')
########################################
##
## Allow caller to modify usb hardware configuration files.
##
##
##
## The process type modifying the options.
##
##
#
define(`dev_rw_usbfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir r_dir_perms;
allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_usbfs'($*)) dnl
')
########################################
##
## Get the attributes of video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 v4l_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_video_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of video4linux device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_video_dev'($*)) dnl
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_video_dev'($*)) dnl
')
########################################
##
## Set the attributes of video4linux device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 v4l_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_video_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of video4linux device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_video_dev'($*)) dnl
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_video_dev'($*)) dnl
')
########################################
##
## Read the video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_read_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
allow $1 v4l_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_read_video_dev'($*)) dnl
')
########################################
##
## Write the video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_video_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
write_chr_files_pattern($1,device_t,v4l_device_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_video_dev'($*)) dnl
')
########################################
##
## Read and write VMWare devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_vmware',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_vmware'($*)) dnl
gen_require(`
type device_t, vmware_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 vmware_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_vmware'($*)) dnl
')
########################################
##
## Read, write, and mmap VMWare devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rwx_vmware',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rwx_vmware'($*)) dnl
gen_require(`
type device_t, vmware_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 vmware_device_t:chr_file { rw_file_perms execute };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rwx_vmware'($*)) dnl
')
########################################
##
## Write to watchdog devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_watchdog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_write_watchdog'($*)) dnl
gen_require(`
type device_t, watchdog_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 watchdog_device_t:chr_file { getattr write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_write_watchdog'($*)) dnl
')
########################################
##
## Read and write Xen devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_xen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_xen'($*)) dnl
')
########################################
##
## Create, read, write, and delete Xen devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_xen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_xen'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for xen device nodes when created in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_filetrans_xen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir rw_dir_perms;
type_transition $1 device_t:chr_file xen_device_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_xen'($*)) dnl
')
########################################
##
## Get the attributes of X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_xserver_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_xserver_misc_dev'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xserver_misc_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_xserver_misc_dev'($*)) dnl
')
########################################
##
## Set the attributes of X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_xserver_misc_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_xserver_misc_dev'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xserver_misc_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_xserver_misc_dev'($*)) dnl
')
########################################
##
## Read and write X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_xserver_misc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_xserver_misc'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xserver_misc_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_xserver_misc'($*)) dnl
')
########################################
##
## Read and write to the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_zero',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_zero'($*)) dnl
gen_require(`
type device_t, zero_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 zero_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_zero'($*)) dnl
')
########################################
##
## Read, write, and execute the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rwx_zero',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_rwx_zero'($*)) dnl
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_rwx_zero'($*)) dnl
')
########################################
##
## Execmod the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_execmod_zero',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_execmod_zero'($*)) dnl
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file execmod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_execmod_zero'($*)) dnl
')
########################################
##
## Create the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_zero_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_create_zero_dev'($*)) dnl
gen_require(`
type device_t, zero_device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
allow $1 zero_device_t:chr_file create;
allow $1 self:capability mknod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_create_zero_dev'($*)) dnl
')
########################################
##
## Unconfined access to devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_unconfined'($*)) dnl
gen_require(`
attribute devices_unconfined_type;
')
typeattribute $1 devices_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_unconfined'($*)) dnl
')
########################################
##
## delete entries from directories in /dev.
##
##
##
## Domain allowed to delete entries.
##
##
#
define(`dev_delete',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_delete'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir { getattr rmdir };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_delete'($*)) dnl
')
########################################
##
## Manage of directories in /dev.
##
##
##
## Domain allowed to relabel.
##
##
#
define(`dev_manage_generic_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
manage_dirs_pattern($1,device_t,device_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_dirs'($*)) dnl
')
## Core policy for domains.
##
## Contains the concept of a domain.
##
########################################
##
## Make the specified type usable as a basic domain.
##
##
##
## Make the specified type usable as a basic domain.
##
##
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
##
##
##
##
## Type to be used as a basic domain type.
##
##
#
define(`domain_base_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_base_type'($*)) dnl
gen_require(`
attribute domain;
')
typeattribute $1 domain;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_base_type'($*)) dnl
')
########################################
##
## Make the specified type usable as a domain.
##
##
##
## Type to be used as a domain type.
##
##
#
define(`domain_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_type'($*)) dnl
# start with basic domain
domain_base_type($1)
ifdef(`targeted_policy',`
unconfined_use_fds($1)
unconfined_sigchld($1)
')
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
init_signull($1)
')
# these seem questionable:
optional_policy(`
rpm_use_fds($1)
rpm_read_pipes($1)
')
optional_policy(`
selinux_dontaudit_read_fs($1)
')
optional_policy(`
seutil_dontaudit_read_config($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_type'($*)) dnl
')
########################################
##
## Make the specified type usable as
## an entry point for the domain.
##
##
##
## Domain to be entered.
##
##
##
##
## Type of program used for entering
## the domain.
##
##
#
define(`domain_entry_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_entry_file'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 $2:file entrypoint;
allow $1 $2:file rx_file_perms;
typeattribute $2 entry_type;
corecmd_executable_file($2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_entry_file'($*)) dnl
')
########################################
##
## Make the file descriptors of the specified
## domain for interactive use (widely inheritable)
##
##
##
## Domain allowed access.
##
##
#
define(`domain_interactive_fd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_interactive_fd'($*)) dnl
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_interactive_fd'($*)) dnl
')
########################################
##
## Allow the specified domain to perform
## dynamic transitions.
##
##
##
## Allow the specified domain to perform
## dynamic transitions.
##
##
## This violates process tranquility, and it
## is strongly suggested that this not be used.
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dyntrans_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dyntrans_type'($*)) dnl
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dyntrans_type'($*)) dnl
')
########################################
##
## Makes caller and execption to the constraint
## preventing changing to the system user
## identity and system role.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_system_change_exemption',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_system_change_exemption'($*)) dnl
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_system_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing of user identity.
##
##
##
## The process type to make an exception to the constraint.
##
##
#
define(`domain_subj_id_change_exemption',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_subj_id_change_exemption'($*)) dnl
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_subj_id_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing of role.
##
##
##
## The process type to make an exception to the constraint.
##
##
#
define(`domain_role_change_exemption',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_role_change_exemption'($*)) dnl
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_role_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
##
##
##
## The process type to make an exception to the constraint.
##
##
##
#
define(`domain_obj_id_change_exemption',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_obj_id_change_exemption'($*)) dnl
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_obj_id_change_exemption'($*)) dnl
')
########################################
##
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_user_exemption_target',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_user_exemption_target'($*)) dnl
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_user_exemption_target'($*)) dnl
')
########################################
##
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_cron_exemption_source',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_source'($*)) dnl
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_cron_exemption_source'($*)) dnl
')
########################################
##
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_cron_exemption_target',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_target'($*)) dnl
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_cron_exemption_target'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from
## domains with interactive programs.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_use_interactive_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_use_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
allow $1 privfd:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_use_interactive_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit file
## descriptors from domains with interactive
## programs.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_use_interactive_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_use_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
dontaudit $1 privfd:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_use_interactive_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
##
##
##
## Domain allowed access.
##
##
#
# cjp: this was added because of newrole
define(`domain_sigchld_interactive_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_sigchld_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
allow $1 privfd:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_sigchld_interactive_fds'($*)) dnl
')
########################################
##
## Set the nice level of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_setpriority_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_setpriority_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process setsched;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_setpriority_all_domains'($*)) dnl
')
########################################
##
## Allow specified type to set context on domain attribute.
##
##
##
## Type of subject to be allowed this.
##
##
#
define(`domain_setcontext',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_setcontext'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_setcontext'($*)) dnl
')
########################################
##
## Send general signals to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_signal_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_signal_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_signal_all_domains'($*)) dnl
')
########################################
##
## Send a null signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_signull_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_signull_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_signull_all_domains'($*)) dnl
')
########################################
##
## Send a stop signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_sigstop_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_sigstop_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigstop;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_sigstop_all_domains'($*)) dnl
')
########################################
##
## Send a child terminated signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_sigchld_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_sigchld_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_sigchld_all_domains'($*)) dnl
')
########################################
##
## Send a kill signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_kill_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_kill_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_kill_all_domains'($*)) dnl
')
########################################
##
## Search the process state directory (/proc/pid) of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_search_all_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_search_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_search_all_domains_state'($*)) dnl
')
########################################
##
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_search_all_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_state'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_read_all_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_read_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir r_dir_perms;
allow $1 domain:lnk_file r_file_perms;
allow $1 domain:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_read_all_domains_state'($*)) dnl
')
########################################
##
## Get the attributes of all domains of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_getattr_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_domains'($*)) dnl
')
########################################
##
## Get the attributes of all domains of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_domains'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all confined domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_read_confined_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_read_confined_domains_state'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
kernel_search_proc($1)
allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
allow $1 { domain -unconfined_domain_type }:file r_file_perms;
dontaudit $1 unconfined_domain_type:dir search;
dontaudit $1 unconfined_domain_type:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_read_confined_domains_state'($*)) dnl
')
########################################
##
## Get the attributes of all confined domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_getattr_confined_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_confined_domains'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
allow $1 { domain -unconfined_domain_type }:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_confined_domains'($*)) dnl
')
########################################
##
## Ptrace all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_ptrace_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_ptrace_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process ptrace;
allow domain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_ptrace_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to ptrace all domains.
##
##
##
## Do not audit attempts to ptrace all domains.
##
##
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_ptrace_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process ptrace;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to ptrace confined domains.
##
##
##
## Do not audit attempts to ptrace confined domains.
##
##
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_ptrace_confined_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_confined_domains'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_confined_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_read_all_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_read_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:lnk_file r_file_perms;
dontaudit $1 domain:file r_file_perms;
# cjp: these should be removed:
dontaudit $1 domain:sock_file r_file_perms;
dontaudit $1 domain:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_read_all_domains_state'($*)) dnl
')
########################################
##
## Do not audit attempts to read the process state
## directories of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_list_all_domains_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_list_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_list_all_domains_state'($*)) dnl
')
########################################
##
## Get the session ID of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getsession_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_getsession_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getsession;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_getsession_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## session ID of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getsession_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getsession_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getsession;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getsession_all_domains'($*)) dnl
')
########################################
##
## Get the attributes of all domains
## sockets, for all socket types.
##
##
##
## Get the attributes of all domains
## sockets, for all socket types.
##
##
## This is commonly used for domains
## that can use lsof on all domains.
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_sockets'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:socket_class_set getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
##
##
##
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
##
##
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
##
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:tcp_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_udp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all domains UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_rw_all_udp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_udp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_udp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains IPSEC key management sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_key_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_key_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_key_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains packet sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_packet_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:packet_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains raw sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_raw_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:rawip_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all domains key sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_rw_all_key_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_key_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_key_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_dgram_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_dgram_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_stream_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dontaudit_getattr_all_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Allow specified type to set context of all
## domains IPSEC associations.
##
##
##
## Type of subject to be allowed this.
##
##
#
define(`domain_ipsec_setcontext_all_domains',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_ipsec_setcontext_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_ipsec_setcontext_all_domains'($*)) dnl
')
########################################
##
## Get the attributes of entry point
## files for all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file getattr;
allow $1 entry_type:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_entry_files'($*)) dnl
')
########################################
##
## Read the entry point files for all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_read_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_read_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file r_file_perms;
allow $1 entry_type:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_read_all_entry_files'($*)) dnl
')
########################################
##
## Execute the entry point files for all
## domains in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_exec_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_exec_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
can_exec($1,entry_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_exec_all_entry_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all
## entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_manage_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_manage_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_manage_all_entry_files'($*)) dnl
')
########################################
##
## Relabel to and from all entry point
## file types.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_relabel_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_relabel_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_relabel_all_entry_files'($*)) dnl
')
########################################
##
## Mmap all entry point files as executable.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_mmap_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file { getattr read execute };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_all_entry_files'($*)) dnl
')
########################################
##
## Execute an entry_type in the specified domain.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for userhelper
define(`domain_entry_file_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_entry_file_spec_domtrans'($*)) dnl
gen_require(`
attribute entry_type;
')
domain_trans($1,entry_type,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_entry_file_spec_domtrans'($*)) dnl
')
########################################
##
## Unconfined access to domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_unconfined'($*)) dnl
gen_require(`
attribute set_curr_context;
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
attribute unconfined_domain_type;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
typeattribute $1 can_change_process_identity;
typeattribute $1 can_change_process_role;
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_unconfined'($*)) dnl
')
#
# These next macros are not templates, but actually are
# support macros. Due to the domain_ prefix, they
# are placed in this module, to try to prevent confusion.
# They are called templates since regular m4 defines
# wont work here.
#
########################################
##
## dontaudit checking for execute on all entry point files
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_dontaudit_exec_all_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_exec_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_exec_all_entry_files'($*)) dnl
')
########################################
##
## Allow specified type to associate ipsec packets from any domain
##
##
##
## Type of subject to be allowed this.
##
##
#
define(`domain_ipsec_labels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_ipsec_labels'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:association { sendto recvfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_ipsec_labels'($*)) dnl
')
########################################
##
## Ability to mmap a low area of the address space,
## as configured by /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
##
##
## Domain allowed to mmap low memory.
##
##
#
define(`domain_mmap_low_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_low_type'($*)) dnl
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_low_type'($*)) dnl
')
########################################
##
## Ability to mmap a low area of the address space,
## as configured by /proc/sys/kernel/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
##
##
## Domain allowed to mmap low memory.
##
##
#
define(`domain_mmap_low',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_low'($*)) dnl
allow $1 self:memprotect mmap_zero;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_low'($*)) dnl
')
##
## Basic filesystem types and interfaces.
##
##
##
## This module contains basic filesystem types and interfaces. This
## includes:
##
## - The concept of different file types including basic
## files, mount points, tmp files, etc.
## - Access to groups of files and all files.
## - Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).
##
##
##
##
## Contains the concept of a file.
## Comains the file initial SID.
##
########################################
##
## Make the specified type usable for files
## in a filesystem.
##
##
##
## Type to be used for files.
##
##
#
define(`files_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_type'($*)) dnl
gen_require(`
attribute file_type;
')
typeattribute $1 file_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_type'($*)) dnl
')
########################################
##
## Make the specified type usable for
## lock files.
##
##
##
## Type to be used for lock files.
##
##
#
define(`files_lock_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_lock_file'($*)) dnl
gen_require(`
attribute lockfile;
')
files_type($1)
typeattribute $1 lockfile;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_lock_file'($*)) dnl
')
########################################
##
## Make the specified type usable for
## filesystem mount points.
##
##
##
## Type to be used for mount points.
##
##
#
define(`files_mountpoint',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mountpoint'($*)) dnl
gen_require(`
attribute mountpoint;
')
files_type($1)
typeattribute $1 mountpoint;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mountpoint'($*)) dnl
')
########################################
##
## Make the specified type usable for
## runtime process ID files.
##
##
##
## Type to be used for PID files.
##
##
#
define(`files_pid_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_pid_file'($*)) dnl
gen_require(`
attribute pidfile;
')
files_type($1)
typeattribute $1 pidfile;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_pid_file'($*)) dnl
')
########################################
##
## Make the specified type a
## configuration file.
##
##
##
## Type to be used as a configuration file.
##
##
#
define(`files_config_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_config_file'($*)) dnl
gen_require(`
attribute usercanread;
')
files_type($1)
# this is a hack and should be removed.
typeattribute $1 usercanread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_config_file'($*)) dnl
')
########################################
##
## Make the specified type a
## polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## polyinstantiated directory.
##
##
#
define(`files_poly',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_poly'($*)) dnl
gen_require(`
attribute polydir;
')
files_type($1)
typeattribute $1 polydir;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_poly'($*)) dnl
')
########################################
##
## Make the specified type a parent
## of a polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## parent directory.
##
##
#
define(`files_poly_parent',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_poly_parent'($*)) dnl
gen_require(`
attribute polyparent;
')
files_type($1)
typeattribute $1 polyparent;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_poly_parent'($*)) dnl
')
########################################
##
## Make the specified type a
## polyinstantiation member directory.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_poly_member',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_poly_member'($*)) dnl
gen_require(`
attribute polymember;
')
files_type($1)
typeattribute $1 polymember;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_poly_member'($*)) dnl
')
########################################
##
## Make the domain use the specified
## type of polyinstantiated directory.
##
##
##
## Domain using the polyinstantiated
## directory.
##
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_poly_member_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_poly_member_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
type_member $1 tmp_t:dir $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_poly_member_tmp'($*)) dnl
')
########################################
##
## Make the specified type a file that
## should not be dontaudited from
## browsing from user domains.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_security_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_security_file'($*)) dnl
gen_require(`
attribute security_file_type;
')
files_type($1)
typeattribute $1 security_file_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_security_file'($*)) dnl
')
########################################
##
## Make the specified type a file
## used for temporary files.
##
##
##
## Type of the file to be used as a
## temporary file.
##
##
#
define(`files_tmp_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_tmp_file'($*)) dnl
gen_require(`
attribute tmpfile;
type tmp_t;
')
files_type($1)
files_poly_member($1)
typeattribute $1 tmpfile;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_tmp_file'($*)) dnl
')
########################################
##
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
##
##
##
## The type to be transformed.
##
##
#
define(`files_tmpfs_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_tmpfs_file'($*)) dnl
gen_require(`
attribute tmpfsfile;
')
files_type($1)
typeattribute $1 tmpfsfile;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_tmpfs_file'($*)) dnl
')
########################################
##
## Get the attributes of all directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: this is an odd interface, because to getattr
# all dirs, you need to search all the parent directories
#
define(`files_getattr_all_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir { getattr search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_dirs'($*)) dnl
')
########################################
##
## List all non-security directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_non_security',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_non_security'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_non_security'($*)) dnl
')
########################################
##
## Do not audit attempts to list all
## non-security directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_non_security',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_non_security'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_non_security'($*)) dnl
')
########################################
##
## Mount a filesystem on all non-security directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_non_security_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_non_security_dir'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_non_security_dir'($*)) dnl
')
########################################
##
## Mount a filesystem on all non-security and files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_non_security_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_non_security_files'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:file mounton;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_non_security_files'($*)) dnl
')
########################################
##
## Allow attempts to modify any directory
##
##
##
## Domain to allow
##
##
#
define(`files_write_non_security_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_write_non_security_dirs'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_write_non_security_dirs'($*)) dnl
')
########################################
##
## Get the attributes of all files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:file getattr;
allow $1 file_type:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_files'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_files'($*)) dnl
')
########################################
##
## Read all files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
allow $1 file_type:file read_file_perms;
optional_policy(`
auth_read_shadow($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_files'($*)) dnl
')
########################################
##
## Allow shared library text relocations in all files.
##
##
##
## Allow shared library text relocations in all files.
##
##
## This is added to support WINE in the targeted
## policy. It has no effect on the strict policy.
##
##
##
##
## Domain allowed access.
##
##
#
define(`files_execmod_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_execmod_all_files'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
attribute file_type;
')
allow $1 file_type:file execmod;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_execmod_all_files'($*)) dnl
')
########################################
##
## Read all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_non_security_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_non_security_files'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir search_dir_perms;
allow $1 { file_type -security_file_type }:file r_file_perms;
allow $1 { file_type -security_file_type }:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_non_security_files'($*)) dnl
')
########################################
##
## Read all directories on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_dirs_except',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_dirs_except'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_dirs_except'($*)) dnl
')
########################################
##
## Read all files on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_files_except',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_files_except'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir search;
allow $1 { file_type $2 }:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_files_except'($*)) dnl
')
########################################
##
## Read all symbolic links on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_symlinks_except',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks_except'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir search;
allow $1 { file_type $2 }:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_symlinks_except'($*)) dnl
')
########################################
##
## Get the attributes of all symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to read all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_symlinks'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security block devices.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_blk_files'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_blk_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security character devices.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_chr_files'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_chr_files'($*)) dnl
')
########################################
##
## Read all symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
allow $1 file_type:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of all named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_pipes'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
allow $1 file_type:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_pipes'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_pipes'($*)) dnl
')
########################################
##
## Get the attributes of all named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_sockets'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
allow $1 file_type:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_sockets'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
dontaudit $1 { file_type -security_file_type }:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_sockets'($*)) dnl
')
########################################
##
## Read all block nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_blk_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:blk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_blk_files'($*)) dnl
')
########################################
##
## Read all character nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_chr_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search;
allow $1 file_type:chr_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_chr_files'($*)) dnl
')
########################################
##
## Relabel all files on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_relabel_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:blk_file { getattr relabelfrom relabelto };
allow $1 { file_type $2 }:chr_file { getattr relabelfrom relabelto };
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_files'($*)) dnl
')
########################################
##
## rw all files on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_rw_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_all_files'($*)) dnl
')
########################################
##
## Manage all files on the filesystem, except
## the listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_manage_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir create_dir_perms;
allow $1 { file_type $2 }:file create_file_perms;
allow $1 { file_type $2 }:lnk_file create_lnk_perms;
allow $1 { file_type $2 }:fifo_file create_file_perms;
allow $1 { file_type $2 }:sock_file create_file_perms;
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_all_files'($*)) dnl
')
########################################
##
## Search the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_all'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_all'($*)) dnl
')
########################################
##
## List the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_all'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_all'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_search_all_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_dirs'($*)) dnl
')
########################################
##
## Relabel a filesystem to the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_all_file_type_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_all_file_type_fs'($*)) dnl
')
########################################
##
## Mount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mount_all_file_type_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mount_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mount_all_file_type_fs'($*)) dnl
')
########################################
##
## Unmount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unmount_all_file_type_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_unmount_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_unmount_all_file_type_fs'($*)) dnl
')
########################################
##
## Mount a filesystem on all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_all_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir { getattr search mounton read };
allow $1 mountpoint:file { getattr mounton };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_all_mountpoints'($*)) dnl
')
########################################
##
## Get the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_mountpoints'($*)) dnl
')
########################################
##
## List the contents of the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_root',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_root'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir r_dir_perms;
allow $1 root_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_root'($*)) dnl
')
########################################
##
## Create an object in the root directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_root_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_root_filetrans'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
type_transition $1 root_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_root_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read files in
## the root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_root_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_root_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_root_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## files in the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_rw_root_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## character device nodes in the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_rw_root_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_chr_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:chr_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_chr_files'($*)) dnl
')
########################################
##
## Remove entries from the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_root_dir_entry',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_root_dir_entry'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_root_dir_entry'($*)) dnl
')
########################################
##
## Unmount a rootfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unmount_rootfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_unmount_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_unmount_rootfs'($*)) dnl
')
########################################
##
## Get attributes of the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_boot_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_boot_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get attributes
## of the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_boot_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_boot_dirs'($*)) dnl
')
########################################
##
## Search the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_boot',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_boot'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_boot'($*)) dnl
')
########################################
##
## Do not audit attempts to search the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_search_boot',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_boot'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_boot'($*)) dnl
')
########################################
##
## Create directories in /boot
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_boot_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_create_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir { create rw_dir_perms };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_create_boot_dirs'($*)) dnl
')
########################################
##
## Create a private type object in boot
## with an automatic type transition
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_boot_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_boot_filetrans'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir rw_dir_perms;
type_transition $1 boot_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_boot_filetrans'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_boot_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_boot_files'($*)) dnl
')
########################################
##
## Relabel from files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_boot_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:file relabelfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_boot_files'($*)) dnl
')
########################################
##
## Read and write symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_boot_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_boot_symlinks'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir r_dir_perms;
allow $1 boot_t:lnk_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_boot_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_boot_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_boot_symlinks'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_t:lnk_file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_boot_symlinks'($*)) dnl
')
########################################
##
## Read kernel files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_img',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_img'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
allow $1 boot_t:file { getattr read };
allow $1 boot_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_img'($*)) dnl
')
########################################
##
## Install a kernel into the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_create_kernel_img',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_create_kernel_img'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_create_kernel_img'($*)) dnl
')
########################################
##
## Delete a kernel from /boot.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_kernel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 boot_t:file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel'($*)) dnl
')
########################################
##
## Getattr of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_default_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_default_dirs'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_default_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_default_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_dirs'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_dirs'($*)) dnl
')
########################################
##
## Search the contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_default',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_default'($*)) dnl
')
########################################
##
## List contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_default',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_default'($*)) dnl
')
########################################
##
## Do not audit attempts to list contents of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_default',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_default'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_default'($*)) dnl
')
########################################
##
## Mount a filesystem on a directory with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_default',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir { getattr search mounton };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_default'($*)) dnl
')
########################################
##
## Manage a filesystem on a directory with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_default',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_default'($*)) dnl
gen_require(`
type default_t;
')
manage_dirs_pattern($1, default_t, default_t)
manage_files_pattern($1, default_t, default_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_default'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## files with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_default_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_files'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_files'($*)) dnl
')
########################################
##
## Read files with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_files'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read files
## with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_default_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_default_files'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_default_files'($*)) dnl
')
########################################
##
## Read symbolic links with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_symlinks'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_symlinks'($*)) dnl
')
########################################
##
## Read sockets with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_sockets'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:sock_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_sockets'($*)) dnl
')
########################################
##
## Read named pipes with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_pipes'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_pipes'($*)) dnl
')
########################################
##
## Search the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_etc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_etc'($*)) dnl
')
########################################
##
## Set the attributes of the /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_etc_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_etc_dirs'($*)) dnl
')
########################################
##
## List the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_etc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_etc'($*)) dnl
')
########################################
##
## Add and remove entries from /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_etc_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_dirs'($*)) dnl
')
########################################
##
## Read generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:file r_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_write_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_files'($*)) dnl
')
########################################
##
## Read and write generic files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_rw_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:file rw_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:file create_file_perms;
allow $1 etc_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_files'($*)) dnl
')
########################################
##
## Delete system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_etc_files'($*)) dnl
')
########################################
##
## Execute generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_exec_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:lnk_file r_file_perms;
can_exec($1,etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_exec_etc_files'($*)) dnl
')
#######################################
##
## Relabel from and to generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_etc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
allow $1 etc_t:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_etc_files'($*)) dnl
')
########################################
##
## Read symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_etc_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_symlinks'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir search_dir_perms;
allow $1 etc_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_symlinks'($*)) dnl
')
########################################
##
## Create objects in /etc with a private
## type using a type_transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Object classes to be created.
##
##
#
define(`files_etc_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_etc_filetrans'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
type_transition $1 etc_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_etc_filetrans'($*)) dnl
')
########################################
##
## Create a boot flag.
##
##
##
## Create a boot flag, such as
## /.autorelabel and /.autofsck.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_create_boot_flag',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_create_boot_flag'($*)) dnl
gen_require(`
type root_t, etc_runtime_t;
')
allow $1 root_t:dir rw_dir_perms;
allow $1 etc_runtime_t:file { create read write setattr unlink };
type_transition $1 root_t:file etc_runtime_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_create_boot_flag'($*)) dnl
')
########################################
##
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_etc_runtime_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file r_file_perms;
allow $1 etc_runtime_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_runtime_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_etc_runtime_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_runtime_files'($*)) dnl
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_runtime_files'($*)) dnl
')
########################################
##
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_rw_etc_runtime_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_runtime_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in
## /etc that are dynamically created on boot,
## such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_etc_runtime_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_runtime_t:dir rw_dir_perms;
allow $1 etc_runtime_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_runtime_files'($*)) dnl
')
########################################
##
## Create, etc runtime objects with an automatic
## type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object being created.
##
##
#
define(`files_etc_filetrans_etc_runtime',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_etc_runtime'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir rw_dir_perms;
type_transition $1 etc_t:$2 etc_runtime_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_etc_filetrans_etc_runtime'($*)) dnl
')
########################################
##
## Getattr of directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_isid_type_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_search_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
dontaudit $1 file_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_isid_type_dirs'($*)) dnl
')
########################################
##
## List the contents of directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_isid_type_dirs'($*)) dnl
')
########################################
##
## Read and write directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_isid_type_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_dirs'($*)) dnl
')
########################################
##
## Mount a filesystem on a directory on new filesystems
## that has not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir { getattr search mounton };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_isid_type_dirs'($*)) dnl
')
########################################
##
## Read files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_isid_type_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_isid_type_files'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir search_dir_perms;
allow $1 file_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_isid_type_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_files'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_symlinks'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_symlinks'($*)) dnl
')
########################################
##
## Read and write block device nodes on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_isid_type_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_blk_files'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir search_dir_perms;
allow $1 file_t:blk_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_isid_type_blk_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_blk_files'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:blk_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_blk_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete character device nodes
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_chr_files'($*)) dnl
gen_require(`
type file_t;
')
allow $1 file_t:dir rw_dir_perms;
allow $1 file_t:chr_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_chr_files'($*)) dnl
')
########################################
##
## Get the attributes of the home directories root
## (/home).
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_home_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_home_dir'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the home directories root
## (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_home_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_home_dir'($*)) dnl
')
########################################
##
## Search home directories root (/home).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_home',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_home'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_home',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_home'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_home'($*)) dnl
')
########################################
##
## Do not audit attempts to list
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_home',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_home'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_home'($*)) dnl
')
########################################
##
## Get listing of home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_home',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_home'($*)) dnl
')
########################################
##
## Create objects in /home.
##
##
##
## Domain allowed access.
##
##
##
##
## The private type.
##
##
##
##
## The class of the object being created.
##
##
#
define(`files_home_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_home_filetrans'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir rw_dir_perms;
type_transition $1 home_root_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_home_filetrans'($*)) dnl
')
########################################
##
## Get the attributes of lost+found directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_lost_found_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_lost_found_dirs'($*)) dnl
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_lost_found_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete objects in
## lost+found directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_lost_found',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_lost_found'($*)) dnl
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir create_dir_perms;
allow $1 lost_found_t:file create_file_perms;
allow $1 lost_found_t:sock_file create_file_perms;
allow $1 lost_found_t:fifo_file create_file_perms;
allow $1 lost_found_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_lost_found'($*)) dnl
')
########################################
##
## Search the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_mnt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_mnt'($*)) dnl
')
########################################
##
## Do not audit attempts to search /mnt.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_mnt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_mnt'($*)) dnl
')
########################################
##
## List the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_mnt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_mnt'($*)) dnl
')
########################################
##
## Mount a filesystem on /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_mnt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir { search mounton };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_mnt'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories in /mnt.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_mnt_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_dirs'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mnt_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_files'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir rw_dir_perms;
allow $1 mnt_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mnt_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_symlinks'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir rw_dir_perms;
allow $1 mnt_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_symlinks'($*)) dnl
')
########################################
##
## Search the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_kernel_modules'($*)) dnl
')
########################################
##
## List the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_kernel_modules'($*)) dnl
')
########################################
##
## Get the attributes of kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir search_dir_perms;
allow $1 modules_object_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_kernel_modules'($*)) dnl
')
########################################
##
## Read kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:lnk_file r_file_perms;
allow $1 modules_object_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_modules'($*)) dnl
')
########################################
##
## Write kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_write_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file { write append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_write_kernel_modules'($*)) dnl
')
########################################
##
## Delete kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir { list_dir_perms write remove_name };
allow $1 modules_object_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel_modules'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kernel module files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
allow $1 modules_object_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_kernel_modules'($*)) dnl
')
########################################
##
## Relabel from and to kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_kernel_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:file { relabelfrom relabelto };
allow $1 modules_object_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_kernel_modules'($*)) dnl
')
########################################
##
## Create objects in the kernel module directories
## with a private type via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_kernel_modules_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_kernel_modules_filetrans'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir rw_dir_perms;
type_transition $1 modules_object_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_kernel_modules_filetrans'($*)) dnl
')
########################################
##
## List world-readable directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_list_world_readable',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_world_readable'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_world_readable'($*)) dnl
')
########################################
##
## Read world-readable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_world_readable_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_files'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_files'($*)) dnl
')
########################################
##
## Read world-readable symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_world_readable_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_symlinks'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_symlinks'($*)) dnl
')
########################################
##
## Read world-readable named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_world_readable_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_pipes'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_pipes'($*)) dnl
')
########################################
##
## Read world-readable sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_world_readable_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_sockets'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:sock_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_sockets'($*)) dnl
')
########################################
##
## Allow the specified type to associate
## to a filesystem with the type of the
## temporary directory (/tmp).
##
##
##
## Type of the file to associate.
##
##
#
define(`files_associate_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_associate_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:filesystem associate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_associate_tmp'($*)) dnl
')
########################################
##
## Get the attributes of the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_getattr_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmp_dirs'($*)) dnl
')
########################################
##
## Search the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to search the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_search_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_tmp'($*)) dnl
')
########################################
##
## Read the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_tmp'($*)) dnl
')
########################################
##
## Do not audit listing of the tmp directory (/tmp).
##
##
##
## Domain not to audit.
##
##
#
define(`files_dontaudit_list_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir { read getattr search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_tmp'($*)) dnl
')
########################################
##
## Read files in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir search_dir_perms;
allow $1 tmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_files'($*)) dnl
')
########################################
##
## Manage temporary directories in /tmp.
##
##
##
## The type of the process performing this action.
##
##
#
define(`files_manage_generic_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
manage_dirs_pattern($1,tmp_t,tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_dirs'($*)) dnl
')
########################################
##
## Manage temporary files and directories in /tmp.
##
##
##
## The type of the process performing this action.
##
##
#
define(`files_manage_generic_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir rw_dir_perms;
allow $1 tmp_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_files'($*)) dnl
')
########################################
##
## Read symbolic links in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_tmp_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_symlinks'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir search_dir_perms;
allow $1 tmp_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_symlinks'($*)) dnl
')
########################################
##
## Read and write generic named sockets in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_generic_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_sockets'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir search_dir_perms;
allow $1 tmp_t:sock_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_sockets'($*)) dnl
')
########################################
##
## Set the attributes of all tmp directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_all_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_all_tmp_dirs'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir { search setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_all_tmp_dirs'($*)) dnl
')
########################################
##
## Create an object in the tmp directories, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_tmp_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_tmp_filetrans'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir rw_dir_perms;
type_transition $1 tmp_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_tmp_filetrans'($*)) dnl
')
########################################
##
## Delete the contents of /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_purge_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_purge_tmp'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
delete_dirs_pattern($1,tmpfile,tmpfile)
delete_files_pattern($1,tmpfile,tmpfile)
delete_lnk_files_pattern($1,tmpfile,tmpfile)
delete_fifo_files_pattern($1,tmpfile,tmpfile)
delete_sock_files_pattern($1,tmpfile,tmpfile)
files_delete_isid_type_dirs($1)
files_delete_isid_type_files($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_purge_tmp'($*)) dnl
')
########################################
##
## Search the content of /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_usr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_usr'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_usr'($*)) dnl
')
########################################
##
## List the contents of generic
## directories in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_usr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_usr'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_usr'($*)) dnl
')
########################################
##
## Add and remove entries in the /usr
## directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_usr_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_usr_dirs'($*)) dnl
')
########################################
##
## dontaudit Add and remove entries from /usr directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_rw_usr_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_usr_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in the /usr directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
manage_files_pattern($1, usr_t, usr_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_usr_files'($*)) dnl
')
########################################
##
## Relabel a file from the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
relabelfrom_files_pattern($1,usr_t,usr_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_usr_files'($*)) dnl
')
########################################
##
## Get the attributes of files in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir search_dir_perms;
allow $1 usr_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_usr_files'($*)) dnl
')
########################################
##
## Read generic files in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_files'($*)) dnl
')
########################################
##
## Execute generic programs in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_exec_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:lnk_file r_file_perms;
can_exec($1,usr_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_exec_usr_files'($*)) dnl
')
########################################
##
## Relabel a file to the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_usr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_usr_files'($*)) dnl
')
########################################
##
## Read symbolic links in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_usr_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_symlinks'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir search_dir_perms;
allow $1 usr_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_symlinks'($*)) dnl
')
########################################
##
## Create objects in the /usr directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`files_usr_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_usr_filetrans'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir rw_dir_perms;
type_transition $1 usr_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_usr_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to search /usr/src.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_src',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_src'($*)) dnl
gen_require(`
type src_t;
')
dontaudit $1 src_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_src'($*)) dnl
')
########################################
##
## Get the attributes of files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_usr_src_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
allow $1 { usr_t src_t }:dir search_dir_perms;
allow $1 src_t:lnk_file { getattr read };
allow $1 src_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_usr_src_files'($*)) dnl
')
########################################
##
## Read files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_usr_src_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
allow $1 usr_t:dir search_dir_perms;
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_src_files'($*)) dnl
')
########################################
##
## Execute programs in /usr/src in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_usr_src_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_exec_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
allow $1 usr_t:dir search_dir_perms;
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:lnk_file r_file_perms;
can_exec($1,src_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_exec_usr_src_files'($*)) dnl
')
########################################
##
## Install a system.map into the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_kernel_symbol_table',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_create_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir ra_dir_perms;
allow $1 system_map_t:file { rw_file_perms create };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_create_kernel_symbol_table'($*)) dnl
')
########################################
##
## Read system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_symbol_table',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir r_dir_perms;
allow $1 system_map_t:file r_file_perms;
# cjp: this should be dropped:
allow $1 boot_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_symbol_table'($*)) dnl
')
########################################
##
## Delete a system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_kernel_symbol_table',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 system_map_t:file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel_symbol_table'($*)) dnl
')
########################################
##
## Search the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_var',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_var'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_var'($*)) dnl
')
########################################
##
## Do not audit attempts to write to /var.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_var_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_var_dirs'($*)) dnl
')
########################################
##
## Allow attempts to write to /var.dirs
##
##
##
## Domain to not audit.
##
##
#
define(`files_write_var_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_write_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_write_var_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the contents of /var.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_var',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var'($*)) dnl
')
########################################
##
## List the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_var',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_var'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_var'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_dirs'($*)) dnl
')
########################################
##
## Read files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_files'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir r_dir_perms;
allow $1 var_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_files'($*)) dnl
')
########################################
##
## Read and write files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_var_files'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_var_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_files'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_files'($*)) dnl
')
########################################
##
## Read symbolic links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_symlinks'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic
## links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_symlinks'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir rw_dir_perms;
allow $1 var_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_symlinks'($*)) dnl
')
########################################
##
## Create objects in the /var directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`files_var_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_var_filetrans'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir rw_dir_perms;
type_transition $1 var_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_var_filetrans'($*)) dnl
')
########################################
##
## Get the attributes of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_var_lib_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_var_lib_dirs'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_var_lib_dirs'($*)) dnl
')
########################################
##
## Search the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_var_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_var_lib'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 { var_t var_lib_t }:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_var_lib'($*)) dnl
')
########################################
##
## List the contents of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_var_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_var_lib'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_var_lib'($*)) dnl
')
########################################
##
## Create objects in the /var/lib directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`files_var_lib_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_var_lib_filetrans'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
type_transition $1 var_lib_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_var_lib_filetrans'($*)) dnl
')
########################################
##
## Read generic files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_lib_files'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir r_dir_perms;
allow $1 var_lib_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_lib_files'($*)) dnl
')
########################################
##
## Read generic symbolic links in /var/lib
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_lib_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_lib_symlinks'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 { var_t var_lib_t }:dir search_dir_perms;
allow $1 var_lib_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_lib_symlinks'($*)) dnl
')
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
########################################
##
## Create, read, write, and delete the
## pseudorandom number generator seed.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_urandom_seed',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_urandom_seed'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
allow $1 var_lib_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_urandom_seed'($*)) dnl
')
########################################
##
## Allow domain to manage mount tables
## necessary for rpcd, nfsd, etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mounttab',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mounttab'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
allow $1 var_lib_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mounttab'($*)) dnl
')
########################################
##
## Search the locks directory (/var/lock).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_locks'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## locks directory (/var/lock).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_locks'($*)) dnl
gen_require(`
type var_lock_t;
')
dontaudit $1 var_lock_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_locks'($*)) dnl
')
########################################
##
## Add and remove entries in the /var/lock
## directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_lock_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_lock_dirs'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_lock_dirs'($*)) dnl
')
########################################
##
## Get the attributes of generic lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_generic_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_generic_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_generic_locks'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_locks'($*)) dnl
gen_require(`
type var_lock_t;
')
allow $1 var_lock_t:dir rw_dir_perms;
allow $1 var_lock_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_locks'($*)) dnl
')
########################################
##
## Delete all lock files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_all_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_locks'($*)) dnl
gen_require(`
attribute lockfile;
')
allow $1 lockfile:dir rw_dir_perms;
allow $1 lockfile:file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_locks'($*)) dnl
')
########################################
##
## Read all lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_locks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_locks'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
allow $1 lockfile:dir r_dir_perms;
allow $1 lockfile:file r_file_perms;
allow $1 lockfile:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_locks'($*)) dnl
')
########################################
##
## Create an object in the locks directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_lock_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_lock_filetrans'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir rw_dir_perms;
type_transition $1 var_lock_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_lock_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_pid_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_pid_dirs'($*)) dnl
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_pid_dirs'($*)) dnl
')
########################################
##
## Search the contents of runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_pids'($*)) dnl
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_pids'($*)) dnl
')
########################################
##
## List the contents of the runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_pids'($*)) dnl
')
########################################
##
## Create an object in the process ID directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_pid_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_pid_filetrans'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir rw_dir_perms;
type_transition $1 var_run_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_pid_filetrans'($*)) dnl
')
########################################
##
## Read and write generic process ID files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_generic_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_rw_generic_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir r_dir_perms;
allow $1 var_run_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_rw_generic_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to write to daemon runtime data files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_write_all_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
dontaudit $1 pidfile:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to ioctl daemon runtime data files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_ioctl_all_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_ioctl_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
dontaudit $1 pidfile:file ioctl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_ioctl_all_pids'($*)) dnl
')
########################################
##
## Read all process ID files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_all_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 pidfile:dir r_dir_perms;
allow $1 pidfile:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_pids'($*)) dnl
')
########################################
##
## Mount filesystems on all polyinstantiation
## member directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_all_poly_members',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_all_poly_members'($*)) dnl
gen_require(`
attribute polymember;
')
allow $1 polymember:dir mounton;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_all_poly_members'($*)) dnl
')
########################################
##
## Delete all process IDs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_all_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
allow $1 var_run_t:dir rmdir;
allow $1 pidfile:dir rw_dir_perms;
allow $1 pidfile:file { getattr unlink };
allow $1 pidfile:sock_file { getattr unlink };
allow $1 pidfile:fifo_file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pids'($*)) dnl
')
########################################
##
## Delete all process ID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_all_pid_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_dirs'($*)) dnl
gen_require(`
attribute pidfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 pidfile:dir { rw_dir_perms rmdir };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pid_dirs'($*)) dnl
')
########################################
##
## Search the contents of generic spool
## directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_search_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_search_spool'($*)) dnl
')
########################################
##
## Do not audit attempts to search generic
## spool directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_spool'($*)) dnl
gen_require(`
type var_spool_t;
')
dontaudit $1 var_spool_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_spool'($*)) dnl
')
########################################
##
## List the contents of generic spool
## (/var/spool) directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_list_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_list_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## spool directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_spool_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool_dirs'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_spool_dirs'($*)) dnl
')
########################################
##
## Read generic spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir r_dir_perms;
allow $1 var_spool_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_spool'($*)) dnl
')
########################################
##
## Create objects in the spool directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`files_spool_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_spool_filetrans'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_spool_t:dir rw_dir_perms;
type_transition $1 var_spool_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_spool_filetrans'($*)) dnl
')
########################################
##
## Allow access to manage all polyinstantiated
## directories on the system.
##
##
##
## Domain allowed access.
##
##
#
define(`files_polyinstantiate_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_polyinstantiate_all'($*)) dnl
gen_require(`
attribute polydir, polymember, polyparent;
type poly_t;
')
files_search_home($1)
# Need to give access to /selinux/member
selinux_compute_member($1)
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name };
allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
corecmd_exec_bin($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_polyinstantiate_all'($*)) dnl
')
########################################
##
## Unconfined access to files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_unconfined'($*)) dnl
gen_require(`
attribute files_unconfined_type;
')
typeattribute $1 files_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_unconfined'($*)) dnl
')
########################################
##
## Allow attempts to monage any directory
##
##
##
## Domain to allow
##
##
#
define(`files_manage_non_security_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_non_security_dirs'($*)) dnl
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_non_security_dirs'($*)) dnl
')
########################################
##
## Create a aliased type to etc_runtime_t files.
##
##
##
## Create a aliased type to etc runtime files.
##
##
## This is added to remove types that should have been etc_runtime_t
##
##
##
##
## Alias type for etc_runtime_t.
##
##
#
define(`corecmd_etc_runtime_alias',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_etc_runtime_alias'($*)) dnl
gen_require(`
type etc_runtime_t;
')
typealias etc_runtime_t alias $1;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_etc_runtime_alias'($*)) dnl
')
########################################
##
## Create a core files in /
##
##
##
## Create a core file in /,
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_dump_core',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dump_core'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
allow $1 root_t:file { create getattr write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dump_core'($*)) dnl
')
########################################
##
## Get the attributes of all filesystems.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: This interface is to allow quotacheck to work on a
# a filesystem mounted with the context switch
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
#
define(`files_getattr_all_filesystems',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_filesystems'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_filesystems'($*)) dnl
')
########################################
##
## Do not audit getattr of all tmp files
##
##
##
## Domain not to audit.
##
##
#
define(`files_dontaudit_getattr_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmp_files'($*)) dnl
')
########################################
##
## Allow attempts to get the attributes
## of all tmp files.
##
##
##
## Domain not to audit.
##
##
#
define(`files_getattr_all_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all tmp sock_file.
##
##
##
## Domain not to audit.
##
##
#
define(`files_dontaudit_getattr_all_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl
')
########################################
##
## Create a aliased type to etc_t files.
##
##
##
## Create a aliased type to etc files.
##
##
## This is added to remove types that should have been etc_t
##
##
##
##
## Alias type for etc_t.
##
##
#
define(`corecmd_etc_alias',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `corecmd_etc_alias'($*)) dnl
gen_require(`
type etc_t;
')
typealias etc_t alias $1;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `corecmd_etc_alias'($*)) dnl
')
########################################
##
## read all tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir search_dir_perms;
allow $1 tmpfile:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_etc_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_symlinks'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_symlinks'($*)) dnl
')
########################################
##
## Create a default directory in /
##
##
##
## Create a default_t direcrory in /
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_create_default_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_create_default_dir'($*)) dnl
gen_require(`
type root_t, default_t;
')
allow $1 default_t:dir create;
filetrans_pattern($1,root_t,default_t,dir)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_create_default_dir'($*)) dnl
')
########################################
##
## Delete directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_dirs'($*)) dnl
gen_require(`
type file_t;
')
delete_dirs_pattern($1, file_t, file_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_dirs'($*)) dnl
')
########################################
##
## Delete files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_files'($*)) dnl
gen_require(`
type file_t;
')
delete_files_pattern($1, file_t, file_t)
delete_lnk_files_pattern($1, file_t, file_t)
delete_fifo_files_pattern($1, file_t, file_t)
delete_sock_files_pattern($1, file_t, file_t)
delete_blk_files_pattern($1, file_t, file_t)
delete_chr_files_pattern($1, file_t, file_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_files'($*)) dnl
')
########################################
##
## Get the attributes of all filesystems
## with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: This interface is to allow quotacheck to work on a
# a filesystem mounted with the --context switch
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
#
define(`files_getattr_all_file_type_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_file_type_fs'($*)) dnl
')
########################################
##
## manage generic symbolic links
## in the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_pids_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_pids_symlinks'($*)) dnl
gen_require(`
type var_run_t;
')
manage_lnk_files_pattern($1,var_run_t,var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_pids_symlinks'($*)) dnl
')
## Policy for filesystems.
##
## Contains the initial SID for the filesystems.
##
########################################
##
## Transform specified type into a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_type'($*)) dnl
gen_require(`
attribute filesystem_type;
')
typeattribute $1 filesystem_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_type'($*)) dnl
')
########################################
##
## Transform specified type into a filesystem
## type which does not have extended attribute
## support.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_noxattr_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_noxattr_type'($*)) dnl
gen_require(`
attribute noxattrfs;
')
fs_type($1)
typeattribute $1 noxattrfs;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_noxattr_type'($*)) dnl
')
########################################
##
## Associate the specified file type to persistent
## filesystems with extended attributes. This
## allows a file of this type to be created on
## a filesystem such as ext3, JFS, and XFS.
##
##
##
## The type of the to be associated.
##
##
#
define(`fs_associate',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_associate'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem associate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_associate'($*)) dnl
')
########################################
##
## Associate the specified file type to
## filesystems which lack extended attributes
## support. This allows a file of this type
## to be created on a filesystem such as
## FAT32, and NFS.
##
##
##
## The type of the to be associated.
##
##
#
define(`fs_associate_noxattr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_noxattr'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:filesystem associate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_noxattr'($*)) dnl
')
########################################
##
## Execute files on a filesystem that does
## not support extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_noxattr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_noxattr'($*)) dnl
gen_require(`
attribute noxattrfs;
')
can_exec($1,noxattrfs)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_noxattr'($*)) dnl
')
########################################
##
## Mount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_xattr_fs'($*)) dnl
')
########################################
##
## Remount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_xattr_fs'($*)) dnl
')
########################################
##
## Unmount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_xattr_fs'($*)) dnl
')
########################################
##
## Get the attributes of a persistent
## filesystem which has extended
## attributes, such as ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_xattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to
## get the attributes of a persistent
## filesystem which has extended
## attributes, such as ext3, JFS, or XFS.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
dontaudit $1 fs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_xattr_fs'($*)) dnl
')
########################################
##
## Allow changing of the label of a
## filesystem with extended attributes
## using the context= mount option.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_xattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem relabelfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_xattr_fs'($*)) dnl
')
########################################
##
## Get the filesystem quotas of a filesystem
## with extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_get_xattr_fs_quotas',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_get_xattr_fs_quotas'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem quotaget;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_get_xattr_fs_quotas'($*)) dnl
')
########################################
##
## Set the filesystem quotas of a filesystem
## with extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_set_xattr_fs_quotas',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_set_xattr_fs_quotas'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem quotamod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_set_xattr_fs_quotas'($*)) dnl
')
########################################
##
## Mount an automount pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_autofs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_autofs'($*)) dnl
')
########################################
##
## Mount an fuse filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_fusefs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_fusefs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_fusefs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
manage_files_pattern($1,fusefs_t,fusefs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_files'($*)) dnl
')
########################################
##
## Read, a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_fusefs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
read_files_pattern($1,fusefs_t,fusefs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_fusefs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_fusefs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_symlinks'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir list_dir_perms;
read_lnk_files_pattern($1,fusefs_t,fusefs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_fusefs_symlinks'($*)) dnl
')
########################################
##
## Remount an automount pseudo filesystem
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_autofs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_autofs'($*)) dnl
')
########################################
##
## Unmount an automount pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_autofs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_autofs'($*)) dnl
')
########################################
##
## Get the attributes of an automount
## pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_autofs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_autofs'($*)) dnl
')
########################################
##
## Search automount filesystem to use automatically
## mounted filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_auto_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir { getattr search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_auto_mountpoints'($*)) dnl
')
########################################
##
## Read directories of automatically
## mounted filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_list_auto_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_auto_mountpoints'($*)) dnl
')
########################################
##
## Do not audit attempts to list directories of automatically
## mounted filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_auto_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
dontaudit $1 autofs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_auto_mountpoints'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on an autofs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_autofs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_autofs_symlinks'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir rw_dir_perms;
allow $1 autofs_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_autofs_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of directories on
## binfmt_misc filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_binfmt_misc_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_binfmt_misc_dirs'($*)) dnl
gen_require(`
type binfmt_misc_t;
')
allow $1 binfmt_misc_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_binfmt_misc_dirs'($*)) dnl
')
########################################
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support.
##
##
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support.
##
##
## A common use for this is to
## register a JVM as an interpreter for
## Java byte code. Registered binaries
## can be directly executed on a command line
## without specifying the interpreter.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_register_binary_executable_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_register_binary_executable_type'($*)) dnl
gen_require(`
type binfmt_misc_fs_t;
')
allow $1 binfmt_misc_fs_t:dir { getattr search };
allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_register_binary_executable_type'($*)) dnl
')
########################################
##
## Mount a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_cifs'($*)) dnl
')
########################################
##
## Remount a CIFS or SMB network filesystem.
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_cifs'($*)) dnl
')
########################################
##
## Unmount a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_cifs'($*)) dnl
')
########################################
##
## Get the attributes of a CIFS or
## SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_cifs'($*)) dnl
')
########################################
##
## Search directories on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_cifs'($*)) dnl
')
########################################
##
## List the contents of directories on a
## CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_cifs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the contents
## of directories on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_cifs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs'($*)) dnl
')
########################################
##
## Read files on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_files'($*)) dnl
')
########################################
##
## Get the attributes of filesystems that
## do not have extended attribute support.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_noxattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_noxattr_fs'($*)) dnl
')
########################################
##
## Read all noxattrfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_noxattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_noxattr_fs'($*)) dnl
')
########################################
##
## Create, read, write, and delete all noxattrfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_noxattr_fs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_dirs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_dirs'($*)) dnl
')
########################################
##
## Read all noxattrfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_noxattr_fs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir search_dir_perms;
allow $1 noxattrfs:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all noxattrfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_noxattr_fs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir rw_dir_perms;
allow $1 noxattrfs:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_files'($*)) dnl
')
########################################
##
## Read all noxattrfs symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_noxattr_fs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_symlinks'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir search_dir_perms;
allow $1 noxattrfs:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_cifs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cifs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_cifs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_symlinks'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_symlinks'($*)) dnl
')
########################################
##
## Execute files on a CIFS or SMB
## network filesystem, in the caller
## domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
can_exec($1, cifs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_cifs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_cifs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_manage_cifs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete files
## on a CIFS or SMB network filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_cifs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_symlinks'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete named pipes
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_named_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_pipes'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:fifo_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete named sockets
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_named_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_sockets'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir rw_file_perms;
allow $1 cifs_t:sock_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_sockets'($*)) dnl
')
########################################
##
## Execute a file on a CIFS or SMB filesystem
## in the specified domain.
##
##
##
## Execute a file on a CIFS or SMB filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on CIFS/SMB filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_cifs_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_cifs_domtrans'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir search;
domain_auto_trans($1,cifs_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_cifs_domtrans'($*)) dnl
')
########################################
##
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_dos_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_dos_fs'($*)) dnl
')
########################################
##
## Remount a DOS filesystem, such as
## FAT32 or NTFS. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_dos_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_dos_fs'($*)) dnl
')
########################################
##
## Unmount a DOS filesystem, such as
## FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_dos_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_dos_fs'($*)) dnl
')
########################################
##
## Get the attributes of a DOS
## filesystem, such as FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_dos_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_dos_fs'($*)) dnl
')
########################################
##
## Allow changing of the label of a
## DOS filesystem using the context= mount option.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_dos_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem relabelfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_dos_fs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_dos_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_dos_files'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:dir manage_dir_perms;
allow $1 dosfs_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_dos_files'($*)) dnl
')
########################################
##
## read files
## on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_dos_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_dos_files'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:dir r_dir_perms;
allow $1 dosfs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_dos_files'($*)) dnl
')
########################################
##
## Read eventpollfs files.
##
##
##
## Read eventpollfs files
##
##
## This interface has been deprecated, and will
## be removed in the future.
##
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_eventpollfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_eventpollfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_eventpollfs'($*)) dnl
')
########################################
##
## Search inotifyfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_inotifyfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_inotifyfs'($*)) dnl
gen_require(`
type inotifyfs_t;
')
allow $1 inotifyfs_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_inotifyfs'($*)) dnl
')
########################################
##
## List inotifyfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_inotifyfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_inotifyfs'($*)) dnl
gen_require(`
type inotifyfs_t;
')
allow $1 inotifyfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_inotifyfs'($*)) dnl
')
########################################
##
## Mount an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_iso9660_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_iso9660_fs'($*)) dnl
')
########################################
##
## Remount an iso9660 filesystem, which
## is usually used on CDs. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_iso9660_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_iso9660_fs'($*)) dnl
')
########################################
##
## Unmount an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_iso9660_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_iso9660_fs'($*)) dnl
')
########################################
##
## Get the attributes of an iso9660
## filesystem, which is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_iso9660_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_fs'($*)) dnl
')
########################################
##
## Read files on an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_iso9660_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_iso9660_files'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:dir list_dir_perms;
allow $1 iso9660_t:file read_file_perms;
allow $1 iso9660_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_iso9660_files'($*)) dnl
')
########################################
##
## Mount a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_nfs'($*)) dnl
')
########################################
##
## Remount a NFS filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_nfs'($*)) dnl
')
########################################
##
## Unmount a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_nfs'($*)) dnl
')
########################################
##
## Get the attributes of a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nfs'($*)) dnl
')
########################################
##
## Search directories on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_nfs'($*)) dnl
')
########################################
##
## List NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_nfs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the contents
## of directories on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_nfs'($*)) dnl
')
########################################
##
## Read files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## files on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_files'($*)) dnl
')
########################################
##
## Read files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_write_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_write_nfs_files'($*)) dnl
')
########################################
##
## Execute files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
can_exec($1, nfs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_nfs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_nfs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_symlinks'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_symlinks'($*)) dnl
')
########################################
##
## Read directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_rpc_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_dirs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_dirs'($*)) dnl
')
########################################
##
## Search directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_rpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_rpc'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_rpc'($*)) dnl
')
########################################
##
## Search removable storage directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_removable',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_removable'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:dir { getattr read search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_removable'($*)) dnl
')
########################################
##
## Do not audit attempts to list removable storage directories.
##
##
##
## Domain not to audit.
##
##
#
define(`fs_dontaudit_list_removable',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_removable'($*)) dnl
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_removable'($*)) dnl
')
########################################
##
## Read removable storage files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_removable_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:file { read getattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_removable_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read removable storage files.
##
##
##
## Domain not to audit.
##
##
#
define(`fs_dontaudit_read_removable_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_removable_files'($*)) dnl
')
########################################
##
## Read removable storage symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_removable_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_removable_symlinks'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_removable_symlinks'($*)) dnl
')
########################################
##
## Read directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_rpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_rpc'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir { getattr read search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_rpc'($*)) dnl
')
########################################
##
## Read files of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_files'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:file { read getattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_files'($*)) dnl
')
########################################
##
## Read symbolic links of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_symlinks'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_symlinks'($*)) dnl
')
########################################
##
## Read sockets of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_sockets'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:sock_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_dirs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_nfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_dirs'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_nfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_files'($*)) dnl
')
#########################################
##
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_symlinks'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_symlinks'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named pipes
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_nfs_named_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_pipes'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:fifo_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_pipes'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named sockets
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_nfs_named_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_sockets'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:sock_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_sockets'($*)) dnl
')
########################################
##
## Execute a file on a NFS filesystem
## in the specified domain.
##
##
##
## Execute a file on a NFS filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on a NFS filesystem in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on NFS filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_nfs_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_nfs_domtrans'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir search;
domain_auto_trans($1,nfs_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_nfs_domtrans'($*)) dnl
')
########################################
##
## Mount a NFS server pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_nfsd_fs'($*)) dnl
')
########################################
##
## Mount a NFS server pseudo filesystem.
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_nfsd_fs'($*)) dnl
')
########################################
##
## Unmount a NFS server pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_nfsd_fs'($*)) dnl
')
########################################
##
## Get the attributes of a NFS server
## pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_fs'($*)) dnl
')
########################################
##
## Search NFS server directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_nfsd_fs'($*)) dnl
')
########################################
##
## Read and write NFS server files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_nfsd_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_nfsd_fs'($*)) dnl
')
########################################
##
## Mount a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_ramfs'($*)) dnl
')
########################################
##
## Remount a RAM filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_ramfs'($*)) dnl
')
########################################
##
## Unmount a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_ramfs'($*)) dnl
')
########################################
##
## Get the attributes of a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_ramfs'($*)) dnl
')
########################################
##
## Search directories on a ramfs
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_ramfs'($*)) dnl
')
########################################
##
## Dontaudit Search directories on a ramfs
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_search_ramfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_ramfs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## directories on a ramfs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_dirs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_dirs'($*)) dnl
')
########################################
##
## Dontaudit read on a ramfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_read_ramfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_files'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_files'($*)) dnl
')
########################################
##
## Dontaudit read on a ramfs fifo_files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_read_ramfs_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:fifo_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## files on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_files'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_files'($*)) dnl
')
########################################
##
## Write to named pipe on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_ramfs_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
allow $1 ramfs_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_write_ramfs_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to write to named
## pipes on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_write_ramfs_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_ramfs_pipes'($*)) dnl
')
########################################
##
## Read and write a named pipe on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_ramfs_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
allow $1 ramfs_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_ramfs_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## named pipes on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:fifo_file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_pipes'($*)) dnl
')
########################################
##
## Write to named socket on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_ramfs_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_sockets'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:sock_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_write_ramfs_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## named sockets on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_sockets'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:sock_file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_sockets'($*)) dnl
')
########################################
##
## Mount a ROM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_romfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_romfs'($*)) dnl
')
########################################
##
## Remount a ROM filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_romfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_romfs'($*)) dnl
')
########################################
##
## Unmount a ROM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_romfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_romfs'($*)) dnl
')
########################################
##
## Get the attributes of a ROM
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_romfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_romfs'($*)) dnl
')
########################################
##
## Mount a RPC pipe filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_rpc_pipefs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_rpc_pipefs'($*)) dnl
')
########################################
##
## Remount a RPC pipe filesystem. This
## allows some mount option to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_rpc_pipefs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_rpc_pipefs'($*)) dnl
')
########################################
##
## Unmount a RPC pipe filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_rpc_pipefs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_rpc_pipefs'($*)) dnl
')
########################################
##
## Get the attributes of a RPC pipe
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_rpc_pipefs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_pipefs'($*)) dnl
')
#########################################
##
## Read and write RPC pipe filesystem named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_rpc_named_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_named_pipes'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 rpc_pipefs_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_rpc_named_pipes'($*)) dnl
')
########################################
##
## Mount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_tmpfs'($*)) dnl
')
########################################
##
## Remount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_tmpfs'($*)) dnl
')
########################################
##
## Unmount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_tmpfs'($*)) dnl
')
########################################
##
## Get the attributes of a tmpfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs'($*)) dnl
')
########################################
##
## Allow the type to associate to tmpfs filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem associate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_tmpfs'($*)) dnl
')
########################################
##
## Get the attributes of tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_tmpfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_tmpfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Set the attributes of tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_tmpfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Search tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_tmpfs'($*)) dnl
')
########################################
##
## List the contents of generic tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_tmpfs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the
## contents of generic tmpfs directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_tmpfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_tmpfs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## tmpfs directories
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_dirs'($*)) dnl
')
########################################
##
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`fs_tmpfs_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $2 tmpfs_t:filesystem associate;
allow $1 tmpfs_t:dir rw_dir_perms;
type_transition $1 tmpfs_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## generic tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to getattr
## generic tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## auto moutpoints.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_auto_mountpoints',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_auto_mountpoints'($*)) dnl
')
########################################
##
## Read and write generic tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Read tmpfs link files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_tmpfs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_symlinks'($*)) dnl
gen_require(`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:lnk_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_symlinks'($*)) dnl
')
########################################
##
## Read and write character nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_chr_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_chr_files'($*)) dnl
')
########################################
##
## dontaudit Read and write character nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_use_tmpfs_chr_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir r_dir_perms;
dontaudit $1 tmpfs_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl
')
########################################
##
## Relabel character nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_chr_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_chr_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_chr_file'($*)) dnl
')
########################################
##
## Read and write block nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_blk_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_blk_files'($*)) dnl
')
########################################
##
## Relabel block nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_blk_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_blk_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_blk_file'($*)) dnl
')
########################################
##
## Read and write, create and delete generic
## files on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_symlinks'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_symlinks'($*)) dnl
')
########################################
##
## Read and write, create and delete socket
## files on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_sockets'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:sock_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_sockets'($*)) dnl
')
########################################
##
## Read and write, create and delete character
## nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_chr_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:chr_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_chr_files'($*)) dnl
')
########################################
##
## Read and write, create and delete block nodes
## on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_blk_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:blk_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_blk_files'($*)) dnl
')
########################################
##
## Mount all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_all_fs'($*)) dnl
')
########################################
##
## Remount all filesystems. This
## allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_all_fs'($*)) dnl
')
########################################
##
## Unmount all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_all_fs'($*)) dnl
')
########################################
##
## Get the attributes of all persistent
## filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem getattr;
files_getattr_all_filesystems($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## all filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_fs'($*)) dnl
')
########################################
##
## Get the quotas of all filesystems.
##
##
##
## The type of the domain getting quotas.
##
##
##
#
define(`fs_get_all_fs_quotas',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_get_all_fs_quotas'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem quotaget;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_get_all_fs_quotas'($*)) dnl
')
########################################
##
## Set the quotas of all filesystems.
##
##
##
## The type of the domain setting quotas.
##
##
##
#
define(`fs_set_all_quotas',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_set_all_quotas'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem quotamod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_set_all_quotas'($*)) dnl
')
########################################
##
## Relabelfrom all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_all_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem relabelfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_all_fs'($*)) dnl
')
########################################
##
## Get the attributes of all directories
## with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_dirs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_dirs'($*)) dnl
')
########################################
##
## Search all directories with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_search_all'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_search_all'($*)) dnl
')
########################################
##
## List all directories with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_list_all'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_list_all'($*)) dnl
')
########################################
##
## Get the attributes of all files with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_files'($*)) dnl
')
########################################
##
## Get the attributes of all symbolic links with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of all named pipes with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_pipes'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_pipes'($*)) dnl
')
########################################
##
## Get the attributes of all named sockets with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_sockets'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_all_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all symbolic links with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_all_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named pipes with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_all_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named sockets with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_all_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Unconfined access to filesystems
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_unconfined'($*)) dnl
gen_require(`
attribute filesystem_unconfined_type;
')
typeattribute $1 filesystem_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_unconfined'($*)) dnl
')
########################################
##
## Relabel all objets from filesystems that
## do not support extended attributes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_noxattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
allow $1 noxattrfs:file { getattr relabelfrom };
allow $1 noxattrfs:lnk_file { getattr relabelfrom };
allow $1 noxattrfs:fifo_file { getattr relabelfrom };
allow $1 noxattrfs:sock_file { getattr relabelfrom };
allow $1 noxattrfs:blk_file { getattr relabelfrom };
allow $1 noxattrfs:chr_file { getattr relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_noxattr_fs'($*)) dnl
')
########################################
##
## Read files of anon_inodefs file system files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_anon_inodefs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_read_anon_inodefs_files'($*)) dnl
gen_require(`
type anon_inodefs_t;
')
read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_read_anon_inodefs_files'($*)) dnl
')
########################################
##
## Read/wrie files of anon_inodefs file system files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_anon_inodefs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_anon_inodefs_files'($*)) dnl
gen_require(`
type anon_inodefs_t;
')
rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_anon_inodefs_files'($*)) dnl
')
########################################
##
## Read and write files on hugetlbfs files
## file systems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_hugetlbfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_hugetlbfs_files'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_hugetlbfs_files'($*)) dnl
')
##
## Policy for kernel threads, proc filesystem,
## and unlabeled processes and objects.
##
##
## This module has initial SIDs.
##
########################################
##
## Allows to start userland processes
## by transitioning to the specified domain.
##
##
##
## The process type entered by kernel.
##
##
##
##
## The executable type for the entrypoint.
##
##
#
define(`kernel_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_domtrans_to'($*)) dnl
gen_require(`
type kernel_t;
')
domain_auto_trans(kernel_t, $2, $1)
allow kernel_t $1:fd use;
allow $1 kernel_t:fd use;
allow $1 kernel_t:fifo_file rw_file_perms;
allow $1 kernel_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_domtrans_to'($*)) dnl
')
########################################
##
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
##
##
##
## The process type entered by kernel.
##
##
##
##
## The executable type for the entrypoint.
##
##
##
##
## Range for the domain.
##
##
#
define(`kernel_ranged_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_ranged_domtrans_to'($*)) dnl
gen_require(`
type kernel_t;
')
kernel_domtrans_to($1,$2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition kernel_t $2:process $3;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_ranged_domtrans_to'($*)) dnl
')
########################################
##
## Allows the kernel to mount filesystems on
## the specified directory type.
##
##
##
## The type of the directory to use as a mountpoint.
##
##
#
define(`kernel_rootfs_mountpoint',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rootfs_mountpoint'($*)) dnl
gen_require(`
type kernel_t;
')
allow kernel_t $1:dir mounton;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rootfs_mountpoint'($*)) dnl
')
########################################
##
## Set the process group of kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_setpgid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_setpgid'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setpgid;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_setpgid'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to kernel threads.
##
##
##
## The type of the process sending the signal.
##
##
#
define(`kernel_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigchld'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigchld'($*)) dnl
')
########################################
##
## Send a generic signal to kernel threads.
##
##
##
## The type of the process sending the signal.
##
##
#
define(`kernel_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_signal'($*)) dnl
gen_require(`
type kernel_t;
')
allow kernel_t $1:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_signal'($*)) dnl
')
########################################
##
## Allows the kernel to share state information with
## the caller.
##
##
##
## The type of the process with which to share state information.
##
##
#
define(`kernel_share_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_share_state'($*)) dnl
gen_require(`
type kernel_t;
')
allow kernel_t $1:process share;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_share_state'($*)) dnl
')
########################################
##
## Permits caller to use kernel file descriptors.
##
##
##
## The type of the process using the descriptors.
##
##
#
define(`kernel_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_use_fds'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## kernel file descriptors.
##
##
##
## The type of process not to audit.
##
##
#
define(`kernel_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_use_fds'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read and write kernel unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_pipes'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_pipes'($*)) dnl
')
########################################
##
## Read and write kernel unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unix_dgram_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_dgram_sockets'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket { read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unix_dgram_sockets'($*)) dnl
')
########################################
##
## Send messages to kernel unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_dgram_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dgram_send'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket sendto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dgram_send'($*)) dnl
')
########################################
##
## Receive messages from kernel TCP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_tcp_recvfrom',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom'($*)) dnl
')
########################################
##
## Send UDP network traffic to the kernel. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_send'($*)) dnl
')
########################################
##
## Receive messages from kernel UDP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_recvfrom',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom'($*)) dnl
')
########################################
##
## Allows caller to load kernel modules
##
##
##
## The process type to allow to load kernel modules.
##
##
#
define(`kernel_load_module',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_load_module'($*)) dnl
gen_require(`
attribute can_load_kernmodule;
')
allow $1 self:capability sys_module;
typeattribute $1 can_load_kernmodule;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_load_module'($*)) dnl
')
########################################
##
## Allow search the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_key'($*)) dnl
')
########################################
##
## Allow link to the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_link_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_link_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key link;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_link_key'($*)) dnl
')
########################################
##
## Allows caller to read the ring buffer.
##
##
##
## The process type allowed to read the ring buffer.
##
##
##
#
define(`kernel_read_ring_buffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system syslog_read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_ring_buffer'($*)) dnl
')
########################################
##
## Do not audit attempts to read the ring buffer.
##
##
##
## The domain to not audit.
##
##
#
define(`kernel_dontaudit_read_ring_buffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system syslog_read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_ring_buffer'($*)) dnl
')
########################################
##
## Change the level of kernel messages logged to the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_change_ring_buffer_level',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_change_ring_buffer_level'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system syslog_console;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_change_ring_buffer_level'($*)) dnl
')
########################################
##
## Allows the caller to clear the ring buffer.
##
##
##
## The process type clearing the buffer.
##
##
##
#
define(`kernel_clear_ring_buffer',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_clear_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system syslog_mod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_clear_ring_buffer'($*)) dnl
')
########################################
##
## Get information on all System V IPC objects.
##
##
##
##
##
##
#
define(`kernel_get_sysvipc_info',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_get_sysvipc_info'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system ipc_info;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_get_sysvipc_info'($*)) dnl
')
########################################
##
## Get the attributes of a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_debugfs'($*)) dnl
')
########################################
##
## Mount a kernel debugging filesystem.
##
##
##
## The type of the domain mounting the filesystem.
##
##
#
define(`kernel_mount_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_mount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem mount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_mount_debugfs'($*)) dnl
')
########################################
##
## Unmount a kernel debugging filesystem.
##
##
##
## The type of the domain unmounting the filesystem.
##
##
#
define(`kernel_unmount_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_unmount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_unmount_debugfs'($*)) dnl
')
########################################
##
## Remount a kernel debugging filesystem.
##
##
##
## The type of the domain remounting the filesystem.
##
##
#
define(`kernel_remount_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_remount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem remount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_remount_debugfs'($*)) dnl
')
########################################
##
## Search the contents of a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_debugfs'($*)) dnl
')
########################################
##
## Read information from the debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_debugfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:dir r_dir_perms;
allow $1 debugfs_t:file r_file_perms;
allow $1 debugfs_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_debugfs'($*)) dnl
')
########################################
##
## Unmount the proc filesystem.
##
##
##
## The type of the domain unmounting the filesystem.
##
##
#
define(`kernel_unmount_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_unmount_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem unmount;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_unmount_proc'($*)) dnl
')
########################################
##
## Get the attributes of the proc filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_proc'($*)) dnl
')
########################################
##
## Search directories in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_proc'($*)) dnl
')
########################################
##
## List the contents of directories in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_list_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_list_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_list_proc'($*)) dnl
')
########################################
##
## Do not audit attempts to list the
## contents of directories in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_proc'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_proc'($*)) dnl
')
########################################
##
## Get the attributes of files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_proc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_proc_files'($*)) dnl
')
########################################
##
## Read symbolic links in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_proc_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_proc_symlinks'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_proc_symlinks'($*)) dnl
')
########################################
##
## Allows caller to read system state information in proc.
##
##
##
## The process type reading the system state information.
##
##
##
#
define(`kernel_read_system_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_system_state'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_t:lnk_file { getattr read };
allow $1 proc_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_system_state'($*)) dnl
')
########################################
##
## Write to generic proc entries.
##
##
##
## Domain allowed access.
##
##
##
#
# cjp: this should probably go away. any
# file thats writable in proc should really
# have its own label.
#
define(`kernel_write_proc_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:file { append write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_proc_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read system state information in proc.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_read_system_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_system_state'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_system_state'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read system state information in proc.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_read_proc_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_proc_symlinks'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:lnk_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_proc_symlinks'($*)) dnl
')
#######################################
##
## Allow caller to read the state information for software raid.
##
##
##
## The process type reading software raid state.
##
##
##
#
define(`kernel_read_software_raid_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_software_raid_state'($*)) dnl
gen_require(`
type proc_t, proc_mdstat_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_software_raid_state'($*)) dnl
')
#######################################
##
## Allow caller to read and set the state information for software raid.
##
##
##
## The process type reading software raid state.
##
##
#
define(`kernel_rw_software_raid_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_software_raid_state'($*)) dnl
gen_require(`
type proc_t, proc_mdstat_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_software_raid_state'($*)) dnl
')
########################################
##
## Allows caller to get attribues of core kernel interface.
##
##
##
## The process type getting the attibutes.
##
##
#
define(`kernel_getattr_core_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_core_if'($*)) dnl
gen_require(`
type proc_t, proc_kcore_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_kcore_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_core_if'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## core kernel interfaces.
##
##
##
## The process type to not audit.
##
##
#
define(`kernel_dontaudit_getattr_core_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_core_if'($*)) dnl
gen_require(`
type proc_kcore_t;
')
dontaudit $1 proc_kcore_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_core_if'($*)) dnl
')
########################################
##
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
##
##
##
## The process type reading the messages.
##
##
#
define(`kernel_read_messages',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_messages'($*)) dnl
gen_require(`
attribute can_receive_kernel_messages;
type proc_kmsg_t, proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file r_file_perms;
typeattribute $1 can_receive_kernel_messages;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_messages'($*)) dnl
')
########################################
##
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
##
##
## The process type getting the attributes.
##
##
#
define(`kernel_getattr_message_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_message_if'($*)) dnl
gen_require(`
type proc_kmsg_t, proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_message_if'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the attributes of kernel
## message interfaces.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_message_if',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_message_if'($*)) dnl
gen_require(`
type proc_kmsg_t, proc_t;
')
dontaudit $1 proc_kmsg_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_message_if'($*)) dnl
')
########################################
##
## Do not audit attempts to search the network
## state directory.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_dontaudit_search_network_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_state'($*)) dnl
gen_require(`
type proc_net_t;
')
dontaudit $1 proc_net_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_state'($*)) dnl
')
########################################
##
## Allow searching of network state directory.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_search_network_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_network_state'($*)) dnl
gen_require(`
type proc_net_t;
')
allow $1 proc_net_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_network_state'($*)) dnl
')
########################################
##
## Allow caller to read the network state information.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_read_network_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_network_state'($*)) dnl
gen_require(`
type proc_t, proc_net_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:file r_file_perms;
allow $1 proc_net_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_network_state'($*)) dnl
')
########################################
##
## Allow caller to read the network state symbolic links.
##
##
##
## The process type reading the state.
##
##
#
define(`kernel_read_network_state_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_network_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_net_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_network_state_symlinks'($*)) dnl
')
########################################
##
## Allow searching of xen state directory.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_search_xen_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_xen_state'($*)) dnl
')
########################################
##
## Do not audit attempts to search the xen
## state directory.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_dontaudit_search_xen_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_xen_state'($*)) dnl
gen_require(`
type proc_xen_t;
')
dontaudit $1 proc_xen_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_xen_state'($*)) dnl
')
########################################
##
## Allow caller to read the xen state information.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_read_xen_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file r_file_perms;
allow $1 proc_xen_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_xen_state'($*)) dnl
')
########################################
##
## Allow caller to read the xen state symbolic links.
##
##
##
## The process type reading the state.
##
##
##
#
define(`kernel_read_xen_state_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_xen_state_symlinks'($*)) dnl
')
########################################
##
## Allow caller to write xen state information.
##
##
##
## The process type writing the state.
##
##
##
#
define(`kernel_write_xen_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_xen_state'($*)) dnl
')
########################################
##
## Do not audit attempts to list all proc directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_all_proc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_proc'($*)) dnl
gen_require(`
attribute proc_type;
')
dontaudit $1 proc_type:dir list_dir_perms;
dontaudit $1 proc_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_proc'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
##
##
## The process type not to audit.
##
##
##
#
define(`kernel_dontaudit_search_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_sysctl'($*)) dnl
gen_require(`
type sysctl_t;
')
dontaudit $1 sysctl_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_sysctl'($*)) dnl
')
########################################
##
## Allow access to read sysctl directories.
##
##
##
## The process type to allow to read sysctl directories.
##
##
##
#
define(`kernel_read_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_sysctl'($*)) dnl
gen_require(`
type sysctl_t;
')
allow $1 sysctl_t:dir r_dir_perms;
read_files_pattern($1, sysctl_t, sysctl_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read the device sysctls.
##
##
##
## The process type to allow to read the device sysctls.
##
##
##
#
define(`kernel_read_device_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_device_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_device_sysctls'($*)) dnl
')
########################################
##
## Read and write device sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_device_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_device_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_device_sysctls'($*)) dnl
')
########################################
##
## Allow caller to search virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_vm_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_vm_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_vm_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_vm_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_vm_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_vm_sysctls'($*)) dnl
')
########################################
##
## Read and write virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_vm_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:dir list_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
# hal needs this
allow $1 sysctl_vm_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_vm_sysctls'($*)) dnl
')
########################################
##
## Search network sysctl directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_network_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_network_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_network_sysctl'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to search network sysctl directories.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_search_network_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_sysctl'($*)) dnl
gen_require(`
type sysctl_net_t;
')
dontaudit $1 sysctl_net_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read network sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_net_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_net_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_net_sysctls'($*)) dnl
')
########################################
##
## Allow caller to modiry contents of sysctl network files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_net_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_net_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_net_sysctls'($*)) dnl
')
########################################
##
## Allow caller to read unix domain
## socket sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_unix_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_unix_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_unix_sysctls'($*)) dnl
')
########################################
##
## Read and write unix domain
## socket sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_unix_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unix_sysctls'($*)) dnl
')
########################################
##
## Read the hotplug sysctl.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_hotplug_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_hotplug_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_hotplug_sysctls'($*)) dnl
')
########################################
##
## Read and write the hotplug sysctl.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_hotplug_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_hotplug_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_hotplug_sysctls'($*)) dnl
')
########################################
##
## Read the modprobe sysctl.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_modprobe_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_modprobe_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_modprobe_sysctls'($*)) dnl
')
########################################
##
## Read and write the modprobe sysctl.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_modprobe_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_modprobe_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_modprobe_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to search generic kernel sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_search_kernel_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_kernel_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_kernel_sysctl'($*)) dnl
')
########################################
##
## Read generic kernel sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_kernel_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_kernel_sysctls'($*)) dnl
')
########################################
##
## Read generic crypto sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_crypto_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_crypto_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_crypto_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_crypto_t:dir r_dir_perms;
allow $1 sysctl_crypto_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_crypto_sysctls'($*)) dnl
')
#######################################
##
## Do not audit attempts to write generic kernel sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_kernel_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_sysctl'($*)) dnl
')
########################################
##
## Read and write generic kernel sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_kernel_sysctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_sysctl'($*)) dnl
')
########################################
##
## Read filesystem sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_fs_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_fs_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_fs_sysctls'($*)) dnl
')
########################################
##
## Read and write fileystem sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_fs_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_fs_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_fs_sysctls'($*)) dnl
')
########################################
##
## Read IRQ sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_irq_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_irq_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_irq_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_irq_sysctls'($*)) dnl
')
########################################
##
## Read and write IRQ sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_irq_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_irq_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_irq_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_irq_sysctls'($*)) dnl
')
########################################
##
## Read RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_rpc_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_rpc_sysctls'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_rpc_sysctls'($*)) dnl
')
########################################
##
## Read and write RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_rpc_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to list all sysctl directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_all_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_sysctls'($*)) dnl
')
########################################
##
## Allow caller to read all sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_all_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
allow $1 { proc_t proc_net_t }:dir search;
allow $1 sysctl_type:dir r_dir_perms;
allow $1 sysctl_type:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_all_sysctls'($*)) dnl
')
########################################
##
## Read and write all sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_all_sysctls',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
allow $1 { proc_t proc_net_t }:dir search;
allow $1 sysctl_type:dir r_dir_perms;
allow $1 sysctl_type:file { rw_file_perms setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_all_sysctls'($*)) dnl
')
########################################
##
## Send a kill signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_kill_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_kill_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_kill_unlabeled'($*)) dnl
')
########################################
##
## Send general signals to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signal_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_signal_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_signal_unlabeled'($*)) dnl
')
########################################
##
## Send a null signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signull_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_signull_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_signull_unlabeled'($*)) dnl
')
########################################
##
## Send a stop signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sigstop_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigstop_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigstop;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigstop_unlabeled'($*)) dnl
')
########################################
##
## Send a child terminated signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sigchld_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigchld_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigchld_unlabeled'($*)) dnl
')
########################################
##
## List unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_list_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_list_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_list_unlabeled'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_unlabeled_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_unlabeled_state'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir r_dir_perms;
allow $1 unlabeled_t:file r_file_perms;
allow $1 unlabeled_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_unlabeled_state'($*)) dnl
')
########################################
##
## Do not audit attempts to list unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_dontaudit_list_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_unlabeled'($*)) dnl
')
########################################
##
## Read and write unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read an unlabeled file.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_read_unlabeled_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_unlabeled_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled symbolic links.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:lnk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled named pipes.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled named sockets.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl
')
########################################
##
## Read and write unlabeled block device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_blk_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_blk_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
##
##
## The process type not to audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir { getattr search read relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_dirs'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled files.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:file { getattr relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_files'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_pipes'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_pipes'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_sockets'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:sock_file { getattr relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_sockets'($*)) dnl
')
########################################
##
## Send and receive messages from an
## unlabeled IPSEC association.
##
##
##
## Send and receive messages from an
## unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
##
##
## The corenetwork interface
## corenet_non_ipsec_sendrecv() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sendrecv_unlabeled_association',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_association'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:association { sendto recvfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_association'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association.
##
##
##
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
##
##
## The corenetwork interface
## corenet_dontaudit_non_ipsec_sendrecv() should
## be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_sendrecv_unlabeled_association',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:association { sendto recvfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl
')
########################################
##
## Receive TCP packets from a NetLabel connection.
##
##
##
## Receive TCP packets from a NetLabel connection, NetLabel is an
## explicit packet labeling framework which implements CIPSO and
## similar protocols.
##
##
## The corenetwork interface
## corenet_tcp_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_tcp_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:tcp_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
##
##
## Do not audit attempts to receive TCP packets from a NetLabel
## connection. NetLabel is an explicit packet labeling framework
## which implements CIPSO and similar protocols.
##
##
## The corenetwork interface
## corenet_dontaudit_tcp_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_tcp_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:tcp_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive UDP packets from a NetLabel connection.
##
##
##
## Receive UDP packets from a NetLabel connection, NetLabel is an
## explicit packet labeling framework which implements CIPSO and
## similar protocols.
##
##
## The corenetwork interface
## corenet_udp_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:udp_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
##
##
##
## Do not audit attempts to receive UDP packets from a NetLabel
## connection. NetLabel is an explicit packet labeling framework
## which implements CIPSO and similar protocols.
##
##
## The corenetwork interface
## corenet_dontaudit_udp_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_udp_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:udp_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive Raw IP packets from a NetLabel connection.
##
##
##
## Receive Raw IP packets from a NetLabel connection, NetLabel is an
## explicit packet labeling framework which implements CIPSO and
## similar protocols.
##
##
## The corenetwork interface
## corenet_raw_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_raw_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_raw_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:rawip_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from a NetLabel
## connection.
##
##
##
## Do not audit attempts to receive Raw IP packets from a NetLabel
## connection. NetLabel is an explicit packet labeling framework
## which implements CIPSO and similar protocols.
##
##
## The corenetwork interface
## corenet_dontaudit_raw_recv_netlabel() should
## be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_raw_recvfrom_unlabeled',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:rawip_socket recvfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Send and receive unlabeled packets.
##
##
##
## Send and receive unlabeled packets.
## These packets do not match any netfilter
## SECMARK rules.
##
##
## The corenetwork interface
## corenet_sendrecv_unlabeled_packets() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sendrecv_unlabeled_packets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_packets'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:packet { send recv };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_packets'($*)) dnl
')
########################################
##
## Unconfined access to kernel module resources.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_unconfined'($*)) dnl
gen_require(`
attribute kern_unconfined;
')
typeattribute $1 kern_unconfined;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_unconfined'($*)) dnl
')
########################################
##
## Set the priority of kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_setsched',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kernel_setsched'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setsched;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kernel_setsched'($*)) dnl
')
## Multicategory security policy
##
## Contains attributes used in MCS policy.
##
########################################
##
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
##
##
##
## Domain target for user exemption.
##
##
##
#
define(`mcs_killall',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mcs_killall'($*)) dnl
gen_require(`
attribute mcskillall;
')
typeattribute $1 mcskillall;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mcs_killall'($*)) dnl
')
########################################
##
## This domain is allowed to ptrace
## all domains regardless of their MCS
## category set.
##
##
##
## Domain target for user exemption.
##
##
#
define(`mcs_ptrace_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mcs_ptrace_all'($*)) dnl
gen_require(`
attribute mcsptraceall;
')
typeattribute $1 mcsptraceall;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mcs_ptrace_all'($*)) dnl
')
########################################
##
## Make specified domain MCS trusted
## for setting any category set for
## the processes it executes.
##
##
##
## Domain target for user exemption.
##
##
#
define(`mcs_process_set_categories',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mcs_process_set_categories'($*)) dnl
gen_require(`
attribute mcssetcats;
')
typeattribute $1 mcssetcats;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mcs_process_set_categories'($*)) dnl
')
## Multilevel security policy
##
##
## This module contains interfaces for handling multilevel
## security. The interfaces allow the specified subjects
## and objects to be allowed certain privileges in the
## MLS rules.
##
##
##
## Contains attributes used in MLS policy.
##
########################################
##
## Make specified domain MLS trusted
## for reading from files at higher levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_read_up',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_file_read_up'($*)) dnl
gen_require(`
attribute mlsfileread;
')
typeattribute $1 mlsfileread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_file_read_up'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to files at lower levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_write_down',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_file_write_down'($*)) dnl
gen_require(`
attribute mlsfilewrite;
')
typeattribute $1 mlsfilewrite;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_file_write_down'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for raising the level of files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_upgrade',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_file_upgrade'($*)) dnl
gen_require(`
attribute mlsfileupgrade;
')
typeattribute $1 mlsfileupgrade;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_file_upgrade'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for lowering the level of files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_downgrade',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_file_downgrade'($*)) dnl
gen_require(`
attribute mlsfiledowngrade;
')
typeattribute $1 mlsfiledowngrade;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_file_downgrade'($*)) dnl
')
########################################
##
## Make specified domain trusted to
## be written to within its MLS range.
## The subject's MLS range must be a
## proper subset of the object's MLS range.
##
##
##
## Object domain granting ranged access.
##
##
#
define(`mls_file_writable_within_range',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_file_writable_within_range'($*)) dnl
gen_require(`
attribute mlsrangedobject;
')
typeattribute $1 mlsrangedobject;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_file_writable_within_range'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from sockets at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_socket_read_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_read_all_levels'($*)) dnl
gen_require(`
attribute mlsnetread;
')
typeattribute $1 mlsnetread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from sockets at any level
## that is dominated by the process clearance.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_socket_read_to_clearance',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsnetreadtoclr;
')
typeattribute $1 mlsnetreadtoclr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to sockets at any level
## that is dominated by the process clearance.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_socket_write_to_clearance',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsnetwritetoclr;
')
typeattribute $1 mlsnetwritetoclr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to sockets at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_socket_write_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_write_all_levels'($*)) dnl
gen_require(`
attribute mlsnetwrite;
')
typeattribute $1 mlsnetwrite;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for receiving network data from
## network interfaces or hosts at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_net_receive_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_net_receive_all_levels'($*)) dnl
gen_require(`
attribute mlsnetrecvall;
')
typeattribute $1 mlsnetrecvall;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_net_receive_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from System V IPC objects
## at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_sysvipc_read_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_all_levels'($*)) dnl
gen_require(`
attribute mlsipcread;
')
typeattribute $1 mlsipcread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to System V IPC objects
## at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_sysvipc_write_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_all_levels'($*)) dnl
gen_require(`
attribute mlsipcwrite;
')
typeattribute $1 mlsipcwrite;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_all_levels'($*)) dnl
')
########################################
##
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_rangetrans_source',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_rangetrans_source'($*)) dnl
gen_require(`
attribute privrangetrans;
')
typeattribute $1 privrangetrans;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_rangetrans_source'($*)) dnl
')
########################################
##
## Make specified domain a target domain
## for MLS range transitions that change
## the current level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_rangetrans_target',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_rangetrans_target'($*)) dnl
gen_require(`
attribute mlsrangetrans;
')
typeattribute $1 mlsrangetrans;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_rangetrans_target'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from processes at higher levels.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_process_read_up',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_process_read_up'($*)) dnl
gen_require(`
attribute mlsprocread;
')
typeattribute $1 mlsprocread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_process_read_up'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to processes at lower levels.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_process_write_down',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_process_write_down'($*)) dnl
gen_require(`
attribute mlsprocwrite;
')
typeattribute $1 mlsprocwrite;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_process_write_down'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for setting the level of processes
## it executes.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_process_set_level',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_process_set_level'($*)) dnl
gen_require(`
attribute mlsprocsetsl;
')
typeattribute $1 mlsprocsetsl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_process_set_level'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from X objects at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_xwin_read_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_read_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinread;
')
typeattribute $1 mlsxwinread;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to X objects at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_xwin_write_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_write_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinwrite;
')
typeattribute $1 mlsxwinwrite;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from X colormaps at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_colormap_read_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_colormap_read_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinreadcolormap;
')
typeattribute $1 mlsxwinreadcolormap;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_colormap_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to X colormaps at any level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_colormap_write_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_colormap_write_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinwritecolormap;
')
typeattribute $1 mlsxwinwritecolormap;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_colormap_write_all_levels'($*)) dnl
')
########################################
##
## Make specified object MLS trusted.
##
##
##
## Make specified object MLS trusted. This
## allows all levels to read and write the
## object.
##
##
## This currently only applies to filesystem
## objects, for example, files and directories.
##
##
##
##
## The type of the object.
##
##
#
define(`mls_trusted_object',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_trusted_object'($*)) dnl
gen_require(`
attribute mlstrustedobject;
')
typeattribute $1 mlstrustedobject;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_trusted_object'($*)) dnl
')
########################################
##
## Make the specified domain trusted
## to inherit and use file descriptors
## from all levels.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_fd_use_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_fd_use_all_levels'($*)) dnl
gen_require(`
attribute mlsfduse;
')
typeattribute $1 mlsfduse;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_fd_use_all_levels'($*)) dnl
')
########################################
##
## Make the file descriptors from the
## specifed domain inheritable by
## all levels.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_fd_share_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_fd_share_all_levels'($*)) dnl
gen_require(`
attribute mlsfdshare;
')
typeattribute $1 mlsfdshare;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_fd_share_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for translating contexts at all levels.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_context_translate_all_levels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mls_context_translate_all_levels'($*)) dnl
gen_require(`
attribute mlstranslate;
')
typeattribute $1 mlstranslate;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mls_context_translate_all_levels'($*)) dnl
')
##
## Policy for kernel security interface, in particular, selinuxfs.
##
##
## Contains the policy for the kernel SELinux security interface.
##
########################################
##
## Gets the caller the mountpoint of the selinuxfs filesystem.
##
##
##
## The process type requesting the selinuxfs mountpoint.
##
##
#
define(`selinux_get_fs_mount',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_get_fs_mount'($*)) dnl
gen_require(`
type security_t;
')
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_get_fs_mount'($*)) dnl
')
########################################
##
## Get the attributes of the selinuxfs filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_getattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_getattr_fs'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_getattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the selinuxfs filesystem
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_getattr_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_fs'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the selinuxfs directory.
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_getattr_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_dir'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_dir'($*)) dnl
')
########################################
##
## Search selinuxfs.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_search_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_search_fs'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_search_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to search selinuxfs.
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_search_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_search_fs'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_search_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## generic selinuxfs entries
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_read_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_read_fs'($*)) dnl
gen_require(`
type security_t;
')
selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_read_fs'($*)) dnl
')
########################################
##
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
##
##
##
## The process type to allow to get the enforcing mode.
##
##
##
#
define(`selinux_get_enforce_mode',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_get_enforce_mode'($*)) dnl
gen_require(`
type security_t;
')
selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_get_enforce_mode'($*)) dnl
')
########################################
##
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
##
##
##
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## The process type to allow to set the enforcement mode.
##
##
##
#
define(`selinux_set_enforce_mode',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_enforce_mode'($*)) dnl
gen_require(`
type security_t;
attribute can_setenforce;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
typeattribute $1 can_setenforce;
if(!secure_mode_policyload) {
allow $1 security_t:security setenforce;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security setenforce;
')
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_enforce_mode'($*)) dnl
')
########################################
##
## Allow caller to load the policy into the kernel.
##
##
##
## The process type that will load the policy.
##
##
#
define(`selinux_load_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_load_policy'($*)) dnl
gen_require(`
type security_t;
attribute can_load_policy;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
typeattribute $1 can_load_policy;
if(!secure_mode_policyload) {
allow $1 security_t:security load_policy;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security load_policy;
')
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_load_policy'($*)) dnl
')
########################################
##
## Allow caller to read the state of Booleans
##
##
##
## Allow caller read the state of Booleans
##
##
##
##
## The process type allowed to set the Boolean.
##
##
##
#
define(`selinux_get_boolean',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_get_boolean'($*)) dnl
gen_require(`
type security_t;
attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
allow $1 booleans_type:dir list_dir_perms;
allow $1 booleans_type:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_get_boolean'($*)) dnl
')
########################################
##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
##
##
##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## The process type allowed to set the Boolean.
##
##
##
#
define(`selinux_set_boolean',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_boolean'($*)) dnl
gen_require(`
type security_t;
attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
allow $1 booleans_type:dir list_dir_perms;
allow $1 booleans_type:file { getattr read write };
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
ifdef(`distro_rhel4',`
# needed for systems without audit support
auditallow $1 security_t:security setbool;
')
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_boolean'($*)) dnl
')
########################################
##
## Allow caller to set SELinux access vector cache parameters.
##
##
##
## Allow caller to set SELinux access vector cache parameters.
## The allows the domain to set performance related parameters
## of the AVC, such as cache threshold.
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## The process type to allow to set security parameters.
##
##
##
#
define(`selinux_set_parameters',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_parameters'($*)) dnl
gen_require(`
type security_t;
attribute can_setsecparam;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
typeattribute $1 can_setsecparam;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_parameters'($*)) dnl
')
########################################
##
## Allows caller to validate security contexts.
##
##
##
## The process type permitted to validate contexts.
##
##
##
#
define(`selinux_validate_context',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_validate_context'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security check_context;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_validate_context'($*)) dnl
')
########################################
##
## Allows caller to compute an access vector.
##
##
##
## The process type allowed to compute an access vector.
##
##
##
#
define(`selinux_compute_access_vector',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_access_vector'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_av;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_access_vector'($*)) dnl
')
########################################
##
## Calculate the default type for object creation.
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_compute_create_context',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_create_context'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_create;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_create_context'($*)) dnl
')
########################################
##
## Allows caller to compute polyinstatntiated
## directory members.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_compute_member',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_member'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_member;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_member'($*)) dnl
')
########################################
##
## Calculate the context for relabeling objects.
##
##
##
## Calculate the context for relabeling objects.
## This is determined by using the type_change
## rules in the policy, and is generally used
## for determining the context for relabeling
## a terminal when a user logs in.
##
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_compute_relabel_context',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_relabel_context'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_relabel;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_relabel_context'($*)) dnl
')
########################################
##
## Allows caller to compute possible contexts for a user.
##
##
##
## The process type allowed to compute user contexts.
##
##
#
define(`selinux_compute_user_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_user_contexts'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_user;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_user_contexts'($*)) dnl
')
########################################
##
## Unconfined access to the SELinux kernel security server.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_unconfined'($*)) dnl
gen_require(`
attribute selinux_unconfined_type;
')
typeattribute $1 selinux_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_unconfined'($*)) dnl
')
########################################
##
## Generate a file context for a boolean type
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_genbool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_genbool'($*)) dnl
gen_require(`
attribute booleans_type;
')
type $1, booleans_type;
fs_type($1)
mls_trusted_object($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_genbool'($*)) dnl
')
########################################
##
## dontaudit caller to validate security contexts.
##
##
##
## The process type permitted to validate contexts.
##
##
##
#
define(`selinux_dontaudit_validate_context',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_validate_context'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file { getattr read write };
dontaudit $1 security_t:security check_context;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_validate_context'($*)) dnl
')
## Policy controlling access to storage devices
########################################
##
## Allow the caller to get the attributes of fixed disk
## device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_getattr_fixed_disk_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_getattr_fixed_disk_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of fixed disk
## device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_setattr_fixed_disk_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_setattr_fixed_disk_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_raw_read_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_read_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file r_file_perms;
allow $1 fixed_disk_device_t:chr_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_read_fixed_disk'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to read
## fixed disk device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_read_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_raw_write_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_write_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
allow $1 fixed_disk_device_t:chr_file { getattr write append ioctl };
typeattribute $1 fixed_disk_raw_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_write_fixed_disk'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to write
## fixed disk device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_write_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_fixed_disk'($*)) dnl
')
########################################
##
## Create, read, write, and delete fixed disk device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_manage_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_manage_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file create_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_manage_fixed_disk'($*)) dnl
')
########################################
##
## Create block devices in /dev with the fixed disk type
## via an automatic type transition.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_dev_filetrans_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_filetrans($1,fixed_disk_device_t,blk_file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_fixed_disk'($*)) dnl
')
########################################
##
## Create block devices in on a tmpfs filesystem with the
## fixed disk type via an automatic type transition.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_tmpfs_filetrans_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_tmpfs_filetrans_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_tmpfs_filetrans_fixed_disk'($*)) dnl
')
########################################
##
## Relabel fixed disk device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_relabel_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_relabel_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_relabel_fixed_disk'($*)) dnl
')
########################################
##
## Enable a fixed disk device as swap space
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_swapon_fixed_disk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_swapon_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_swapon_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_getattr_scsi_generic_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_scsi_generic_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_scsi_generic_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_setattr_scsi_generic_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_read_scsi_generic',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_read_scsi_generic'($*)) dnl
gen_require(`
attribute scsi_generic_read;
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file r_file_perms;
typeattribute $1 scsi_generic_read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_read_scsi_generic'($*)) dnl
')
########################################
##
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_write_scsi_generic',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_write_scsi_generic'($*)) dnl
gen_require(`
attribute scsi_generic_write;
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
typeattribute $1 scsi_generic_write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_write_scsi_generic'($*)) dnl
')
########################################
##
## Set attributes of the device nodes
## for the SCSI generic inerface.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_setattr_scsi_generic_dev_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## SCSI generic device interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_rw_scsi_generic',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_scsi_generic'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_scsi_generic'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes of removable
## devices device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_getattr_removable_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_getattr_removable_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to read
## removable devices device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_read_removable_device',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of removable
## devices device nodes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_setattr_removable_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
##
##
##
## The type of the process to not audit.
##
##
#
define(`storage_dontaudit_setattr_removable_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_removable_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_raw_read_removable_device',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_read_removable_device'($*)) dnl
')
########################################
##
## Do not audit attempts to directly read removable devices.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_raw_read_removable_device',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_read_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_raw_write_removable_device',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_write_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_write_removable_device'($*)) dnl
')
########################################
##
## Do not audit attempts to directly write removable devices.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_raw_write_removable_device',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_write_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file { write append ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_write_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to directly read
## a tape device.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_read_tape',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_read_tape'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_read_tape'($*)) dnl
')
########################################
##
## Allow the caller to directly read
## a tape device.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_write_tape',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_write_tape'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file { getattr write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_write_tape'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes
## of device nodes of tape devices.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_getattr_tape_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_tape_dev'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_tape_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes
## of device nodes of tape devices.
##
##
##
## The type of the process performing this action.
##
##
#
define(`storage_setattr_tape_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_tape_dev'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_tape_dev'($*)) dnl
')
########################################
##
## Unconfined access to storage devices.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `storage_unconfined'($*)) dnl
gen_require(`
attribute storage_unconfined_type;
')
typeattribute $1 storage_unconfined_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `storage_unconfined'($*)) dnl
')
## Policy for terminals.
##
## Depended on by other required modules.
##
########################################
##
## Transform specified type into a pty type.
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_pty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_pty'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
files_type($1)
allow $1 devpts_t:filesystem associate;
typeattribute $1 ptynode;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_pty'($*)) dnl
')
########################################
##
## Transform specified type into an user
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
##
##
##
## The type of the user domain associated with
## this pty.
##
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_user_pty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_user_pty'($*)) dnl
gen_require(`
attribute server_ptynode;
')
term_pty($2)
type_change $1 server_ptynode:chr_file $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_user_pty'($*)) dnl
')
########################################
##
## Transform specified type into a pty type
## used by login programs, such as sshd.
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_login_pty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_login_pty'($*)) dnl
gen_require(`
attribute server_ptynode;
')
term_pty($1)
typeattribute $1 server_ptynode;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_login_pty'($*)) dnl
')
########################################
##
## Transform specified type into a tty type.
##
##
##
## An object type that will applied to a tty.
##
##
#
define(`term_tty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_tty'($*)) dnl
gen_require(`
attribute ttynode, serial_device;
type tty_device_t;
')
typeattribute $1 ttynode, serial_device;
# cjp: ?
files_associate_tmp($1)
# static /dev:
fs_associate($1)
# udev:
fs_associate_tmpfs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_tty'($*)) dnl
')
########################################
##
## Transform specified type into a user tty type.
##
##
##
## User domain that is related to this tty.
##
##
##
##
## An object type that will applied to a tty.
##
##
#
define(`term_user_tty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_user_tty'($*)) dnl
gen_require(`
attribute ttynode;
type tty_device_t;
')
term_tty($2)
type_change $1 tty_device_t:chr_file $2;
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
ifdef(`distro_debian',`
type_change $1 ttynode:chr_file $2;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_user_tty'($*)) dnl
')
########################################
##
## Create a pty in the /dev/pts directory.
##
##
##
## The type of the process creating the pty.
##
##
##
##
## The type of the pty.
##
##
#
define(`term_create_pty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_create_pty'($*)) dnl
gen_require(`
type bsdpty_device_t, devpts_t, ptmx_t;
')
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
type_transition $1 devpts_t:chr_file $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_create_pty'($*)) dnl
')
########################################
##
## Read and write the console, all
## ttys and all ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_terms',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_terms'($*)) dnl
gen_require(`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_terms'($*)) dnl
')
########################################
##
## Write to the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_write_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_write_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file { getattr write append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_write_console'($*)) dnl
')
########################################
##
## Read from the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_read_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_read_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_read_console'($*)) dnl
')
########################################
##
## Read from and write to the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_console'($*)) dnl
')
########################################
##
## Do not audit attemtps to read from
## or write to the console.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_use_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_console'($*)) dnl
gen_require(`
type console_device_t;
')
dontaudit $1 console_device_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_console'($*)) dnl
')
########################################
##
## Set the attributes of the console
## device node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_console'($*)) dnl
')
########################################
##
## Relabel from and to the console_device_t
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_console'($*)) dnl
')
########################################
##
## Create the console device (/dev/console).
##
##
##
## Domain allowed access.
##
##
#
define(`term_create_console_dev',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_create_console_dev'($*)) dnl
gen_require(`
type device_t, console_device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
allow $1 console_device_t:chr_file create;
allow $1 self:capability mknod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_create_console_dev'($*)) dnl
')
########################################
##
## Get the attributes of a pty filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`term_getattr_pty_fs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_pty_fs'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:filesystem getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_pty_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_getattr_pty_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_pty_dirs'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_pty_dirs'($*)) dnl
')
########################################
##
## Search the contents of the /dev/pts directory.
##
##
##
## Domain allowed access.
##
##
#
define(`term_search_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_search_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_search_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## contents of the /dev/pts directory.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_search_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_search_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_search_ptys'($*)) dnl
')
########################################
##
## Read the /dev/pts directory to
## list all ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_list_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_list_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_list_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read the
## /dev/pts directory.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_list_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_list_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir { getattr search read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_list_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, or delete the /dev/pts directory.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_manage_pty_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_manage_pty_dirs'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_manage_pty_dirs'($*)) dnl
')
########################################
##
## ioctl of generic pty devices.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for ppp
define(`term_ioctl_generic_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_ioctl_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 devpts_t:chr_file ioctl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_ioctl_generic_ptys'($*)) dnl
')
########################################
##
## Allow setting the attributes of
## generic pty devices.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: added for rhgb
define(`term_setattr_generic_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_generic_ptys'($*)) dnl
')
########################################
##
## Dontaudit setting the attributes of
## generic pty devices.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: added for rhgb
define(`term_dontaudit_setattr_generic_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_generic_ptys'($*)) dnl
')
########################################
##
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_generic_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_generic_ptys'($*)) dnl
')
########################################
##
## Dot not audit attempts to read and
## write the generic pty type. This is
## generally only used in the targeted policy.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_use_generic_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_generic_ptys'($*)) dnl
')
########################################
##
## Read and write the controlling
## terminal (/dev/tty).
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_controlling_term',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_controlling_term'($*)) dnl
gen_require(`
type devtty_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_controlling_term'($*)) dnl
')
########################################
##
## Read and write the pty multiplexor (/dev/ptmx).
##
##
##
## The type of the process to allow access.
##
##
#
define(`term_use_ptmx',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
allow $1 ptmx_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_ptmx'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_use_ptmx',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
dontaudit $1 ptmx_t:chr_file { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_ptmx'($*)) dnl
')
########################################
##
## Get the attributes of all user
## pty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any user pty
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_getattr_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
dontaudit $1 ptynode:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ptys'($*)) dnl
')
########################################
##
## Set the attributes of all user
## pty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ptys'($*)) dnl
')
########################################
##
## Relabel to all user ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabelto_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_relabelto_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
allow $1 ptynode:chr_file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_relabelto_all_user_ptys'($*)) dnl
')
########################################
##
## Read and write all user ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 ptynode:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read any
## user ptys.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_use_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ptys'($*)) dnl
')
########################################
##
## Relabel from and to all user
## user pty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 ptynode:chr_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ptys'($*)) dnl
')
########################################
##
## Get the attributes of all unallocated
## tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_getattr_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Set the attributes of all unallocated
## tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_setattr_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to ioctl
## unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_ioctl_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file ioctl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl
')
########################################
##
## Relabel from and to the unallocated
## tty type.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_unallocated_ttys'($*)) dnl
')
########################################
##
## Relabel from all user tty types to
## the unallocated tty type.
##
##
##
## Domain allowed access.
##
##
#
define(`term_reset_tty_labels',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_reset_tty_labels'($*)) dnl
gen_require(`
attribute ttynode;
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file relabelfrom;
allow $1 tty_device_t:chr_file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_reset_tty_labels'($*)) dnl
')
########################################
##
## Append to unallocated ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_append_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_append_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_append_unallocated_ttys'($*)) dnl
')
########################################
##
## Write to unallocated ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_write_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_write_unallocated_ttys'($*)) dnl
')
########################################
##
## Read and write unallocated ttys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write unallocated ttys.
##
##
##
## The type of the process to not audit.
##
##
#
define(`term_dontaudit_use_unallocated_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_unallocated_ttys'($*)) dnl
')
########################################
##
## Get the attributes of all user tty
## device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any user tty
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_getattr_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ttys'($*)) dnl
')
########################################
##
## Set the attributes of all user tty
## device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ttys'($*)) dnl
')
########################################
##
## Relabel from and to all user
## user tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ttys'($*)) dnl
')
########################################
##
## Write to all user ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { getattr write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_user_ttys'($*)) dnl
')
########################################
##
## Read and write all user to all user ttys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## any user ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_dontaudit_use_all_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dontaudit $1 ttynode:chr_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ttys'($*)) dnl
')
## Andrew Filesystem server
## Aide filesystem integrity checker
########################################
##
## Execute aide in the aide domain
##
##
##
## Domain allowed access.
##
##
#
define(`aide_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `aide_domtrans'($*)) dnl
gen_require(`
type aide_t, aide_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,aide_exec_t,aide_t)
allow aide_t $1:fd use;
allow aide_t $1:fifo_file rw_file_perms;
allow aide_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `aide_domtrans'($*)) dnl
')
########################################
##
## Execute aide programs in the AIDE domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the AIDE domain.
##
##
##
##
## The type of the terminal allow the AIDE domain to use.
##
##
#
define(`aide_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `aide_run'($*)) dnl
gen_require(`
type aide_t;
')
aide_domtrans($1)
role $2 types aide_t;
allow aide_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `aide_run'($*)) dnl
')
##
## Daemon that interfaces mail transfer agents and content
## checkers, such as virus scanners.
##
########################################
##
## Execute a domain transition to run amavis.
##
##
##
## Domain allowed to transition.
##
##
#
define(`amavis_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_domtrans'($*)) dnl
gen_require(`
type amavis_t, amavis_exec_t;
')
domain_auto_trans($1,amavis_exec_t,amavis_t)
allow $1 amavis_t:fd use;
allow amavis_t $1:fd use;
allow amavis_t $1:fifo_file rw_file_perms;
allow amavis_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_domtrans'($*)) dnl
')
########################################
##
## Read amavis spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_read_spool_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_read_spool_files'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
allow $1 amavis_spool_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_read_spool_files'($*)) dnl
')
########################################
##
## Manage amavis spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_manage_spool_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_manage_spool_files'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
allow $1 amavis_spool_t:dir manage_dir_perms;
allow $1 amavis_spool_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_manage_spool_files'($*)) dnl
')
########################################
##
## Create objects in the amavis spool directories
## with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Class of the object being created.
##
##
#
define(`amavis_spool_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_spool_filetrans'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
allow $1 amavis_spool_t:dir rw_dir_perms;
type_transition $1 amavis_spool_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_spool_filetrans'($*)) dnl
')
########################################
##
## Search amavis lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_search_lib'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
allow $1 amavis_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_search_lib'($*)) dnl
')
########################################
##
## Read amavis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_read_lib_files'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
allow $1 amavis_var_lib_t:file r_file_perms;
allow $1 amavis_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## amavis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_manage_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_manage_lib_files'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
allow $1 amavis_var_lib_t:file manage_file_perms;
allow $1 amavis_var_lib_t:dir rw_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_manage_lib_files'($*)) dnl
')
########################################
##
## Set the attributes of amavis pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_setattr_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_setattr_pid_files'($*)) dnl
gen_require(`
type amavis_var_run_t;
')
allow $1 amavis_var_run_t:file setattr;
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_setattr_pid_files'($*)) dnl
')
########################################
##
## Set the create of amavis var run files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_create_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `amavis_create_pid_files'($*)) dnl
gen_require(`
type amavis_var_run_t;
')
allow $1 amavis_var_run_t:file create_file_perms;
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `amavis_create_pid_files'($*)) dnl
')
## Apache web server
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`apache_content_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_content_template'($*)) dnl
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
# This type is used for .htaccess files
type httpd_$1_htaccess_t; # customizable;
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
type httpd_$1_script_t;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
# The following three are the only areas that
# scripts can read, read/write, or append to
type httpd_$1_script_ro_t, httpdcontent; # customizable
files_type(httpd_$1_script_ro_t)
type httpd_$1_script_rw_t, httpdcontent; # customizable
files_type(httpd_$1_script_rw_t)
type httpd_$1_script_ra_t, httpdcontent; # customizable
files_type(httpd_$1_script_ra_t)
allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_suexec_t httpd_$1_script_t:fd use;
allow httpd_$1_script_t httpd_suexec_t:fd use;
allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
allow httpd_$1_script_t httpd_suexec_t:process sigchld;
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
# apache should set close-on-exec
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
allow httpd_$1_script_t httpd_log_t:file { getattr append };
allow httpd_$1_script_t httpd_log_t:dir search;
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
files_search_home(httpd_$1_script_t)
libs_use_ld_so(httpd_$1_script_t)
libs_use_shared_libs(httpd_$1_script_t)
libs_exec_ld_so(httpd_$1_script_t)
libs_exec_lib_files(httpd_$1_script_t)
miscfiles_read_fonts(httpd_$1_script_t)
miscfiles_read_public_files(httpd_$1_script_t)
seutil_dontaudit_search_config(httpd_$1_script_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
allow httpd_$1_script_t httpdcontent:file create_file_perms;
allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
can_exec(httpd_$1_script_t, httpdcontent)
')
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
allow httpd_t httpd_$1_content_t:dir r_dir_perms;
allow httpd_t httpd_$1_content_t:file r_file_perms;
allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_exec_scripts httpd_$1_script_exec_t:file r_file_perms;
allow httpd_exec_scripts httpd_$1_script_t:fd use;
allow httpd_$1_script_t httpd_exec_scripts:fd use;
allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
# apache runs the script:
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
allow httpd_t httpd_$1_script_t:fd use;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
allow httpd_$1_script_t httpd_t:process sigchld;
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_all_ports(httpd_$1_script_t)
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
')
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_content_template'($*)) dnl
')
#######################################
##
## The per role template for the apache module.
##
##
##
## This template creates types used for web pages
## and web cgi to be used from the user home directory.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`apache_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_per_role_template'($*)) dnl
gen_require(`
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts;
type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
')
apache_content_template($1)
typeattribute httpd_$1_content_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
allow $2 httpd_$1_script_exec_t:file create_file_perms;
allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
allow $2 httpd_$1_script_t:fd use;
allow httpd_$1_script_t $2:fd use;
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
allow httpd_$1_script_t $2:process sigchld;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
allow $2 httpd_$1_script_t:fd use;
allow httpd_$1_script_t $2:fd use;
allow httpd_$1_script_t $2:fifo_file rw_file_perms;
allow httpd_$1_script_t $2:process sigchld;
')
# allow accessing files/dirs below the users home dir
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
userdom_search_user_home_dirs($1,httpd_sys_script_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_per_role_template'($*)) dnl
')
########################################
##
## Read httpd user scripts executables.
##
##
##
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
##
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_user_scripts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_user_scripts'($*)) dnl
gen_require(`
type httpd_$1_script_exec_t;
')
allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
allow $2 httpd_$1_script_exec_t:file r_file_perms;
allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_user_scripts'($*)) dnl
')
########################################
##
## Read user web content.
##
##
##
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
##
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_user_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_user_content'($*)) dnl
gen_require(`
type httpd_$1_content_t;
')
allow $2 httpd_$1_content_t:dir r_dir_perms;
allow $2 httpd_$1_content_t:file r_file_perms;
allow $2 httpd_$1_content_t:lnk_file { getattr read };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_user_content'($*)) dnl
')
########################################
##
## Transition to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans'($*)) dnl
gen_require(`
type httpd_t, httpd_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,httpd_exec_t,httpd_t)
allow $1 httpd_t:fd use;
allow httpd_t $1:fd use;
allow httpd_t $1:fifo_file rw_file_perms;
allow httpd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans'($*)) dnl
')
########################################
##
## Send a null signal to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_signull'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_signull'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_sigchld'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_sigchld'($*)) dnl
')
########################################
##
## getattr apache.process
##
##
##
## Domain allowed access.
##
##
#
define(`apache_getattr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_getattr'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_getattr'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from Apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_use_fds'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_dontaudit_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_dontaudit_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete all web content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_manage_all_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_all_content'($*)) dnl
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
allow $1 httpdcontent:dir manage_dir_perms;
allow $1 httpdcontent:file manage_file_perms;
allow $1 httpdcontent:lnk_file create_lnk_perms;
allow $1 httpd_script_exec_type:dir manage_dir_perms;
allow $1 httpd_script_exec_type:file manage_file_perms;
allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_all_content'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write Apache cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_rw_cache_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_rw_cache_files'($*)) dnl
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_rw_cache_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_config'($*)) dnl
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir r_dir_perms;
allow $1 httpd_config_t:file r_file_perms;
allow $1 httpd_config_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_config'($*)) dnl
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir manage_dir_perms;
allow $1 httpd_config_t:file manage_file_perms;
allow $1 httpd_config_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_config'($*)) dnl
')
########################################
##
## Execute the Apache helper program with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_domtrans_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_helper'($*)) dnl
gen_require(`
type httpd_helper_t, httpd_helper_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
allow $1 httpd_helper_t:fd use;
allow httpd_helper_t $1:fd use;
allow httpd_helper_t $1:fifo_file rw_file_perms;
allow httpd_helper_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_helper'($*)) dnl
')
########################################
##
## Execute the Apache helper program with
## a domain transition, and allow the
## specified role the dmidecode domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the dmidecode domain.
##
##
##
##
## The type of the terminal allow the dmidecode domain to use.
##
##
##
#
define(`apache_run_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_run_helper'($*)) dnl
gen_require(`
type httpd_helper_t;
')
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
allow httpd_helper_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_run_helper'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir r_dir_perms;
allow $1 httpd_log_t:file r_file_perms;
allow $1 httpd_log_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to apache log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_append_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir r_dir_perms;
allow $1 httpd_log_t:file append;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_append_log'($*)) dnl
')
########################################
##
## Do not audit attempts to append to the
## Apache logs.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_append_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
dontaudit $1 httpd_log_t:file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## to apache log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir manage_dir_perms;
allow $1 httpd_log_t:file manage_file_perms;
allow $1 httpd_log_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_log'($*)) dnl
')
########################################
##
## Do not audit attempts to search Apache
## module directories.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_search_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_search_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
dontaudit $1 httpd_modules_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_search_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to list
## the contents of the apache modules
## directory.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_list_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_list_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_list_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to execute
## apache modules.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_exec_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir r_dir_perms;
allow $1 httpd_modules_t:lnk_file r_file_perms;
can_exec($1,httpd_modules_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_modules'($*)) dnl
')
########################################
##
## Execute a domain transition to run httpd_rotatelogs.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_domtrans_rotatelogs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_rotatelogs'($*)) dnl
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
allow httpd_rotatelogs_t $1:fd use;
allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
allow httpd_rotatelogs_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_rotatelogs'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache system content files.
##
##
##
## Domain allowed access.
##
##
##
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
define(`apache_manage_sys_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
files_search_var($1)
allow $1 httpd_sys_content_t:dir create_dir_perms;
allow $1 httpd_sys_content_t:file create_file_perms;
allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_sys_content'($*)) dnl
')
########################################
##
## Execute all web scripts in the system
## script domain.
##
##
##
## Domain allowed access.
##
##
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
define(`apache_domtrans_sys_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_sys_script'($*)) dnl
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
allow $1 httpd_sys_script_t:fd use;
allow httpd_sys_script_t $1:fd use;
allow httpd_sys_script_t $1:fifo_file rw_file_perms;
allow httpd_sys_script_t $1:process sigchld;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_sys_script'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_dontaudit_rw_sys_script_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl
gen_require(`
type httpd_sys_script_t;
')
dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl
')
########################################
##
## Execute all user scripts in the user
## script domain.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_domtrans_all_scripts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_all_scripts'($*)) dnl
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_all_scripts'($*)) dnl
')
########################################
##
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the script domains.
##
##
#
# cjp: this is missing the terminal since scripts
# do not output to the terminal
define(`apache_run_all_scripts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_run_all_scripts'($*)) dnl
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_run_all_scripts'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache squirrelmail data.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_squirrelmail_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_squirrelmail_data'($*)) dnl
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:dir search_dir_perms;
allow $1 httpd_squirrelmail_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_squirrelmail_data'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## apache squirrelmail data.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_append_squirrelmail_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_append_squirrelmail_data'($*)) dnl
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_append_squirrelmail_data'($*)) dnl
')
########################################
##
## Search apache system content.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_sys_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_search_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_search_sys_content'($*)) dnl
')
########################################
##
## Read apache system content.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_read_sys_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir r_dir_perms;
allow $1 httpd_sys_content_t:file { getattr read };
allow $1 httpd_sys_content_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_sys_content'($*)) dnl
')
########################################
##
## Search system script state directory.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_search_sys_script_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_search_sys_script_state'($*)) dnl
gen_require(`
type httpd_sys_script_t;
')
allow $1 httpd_sys_script_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_search_sys_script_state'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache modules.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_modules',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to create
## apache lock file
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_lock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_lock'($*)) dnl
gen_require(`
type httpd_lock_t;
')
allow $1 httpd_lock_t:file manage_file_perms;
files_lock_filetrans($1, httpd_lock_t, file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_lock'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache pid file
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_pid'($*)) dnl
gen_require(`
type httpd_var_run_t;
')
manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
files_pid_filetrans($1,httpd_var_run_t, file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_pid'($*)) dnl
')
########################################
##
##f Read apache system state
##
##
##
## Domain to not audit.
##
##
#
define(`apache_read_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_read_state'($*)) dnl
gen_require(`
type httpd_t;
')
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
read_files_pattern($1,httpd_t,httpd_t)
read_lnk_files_pattern($1,httpd_t,httpd_t)
dontaudit $1 httpd_t:process ptrace;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_read_state'($*)) dnl
')
########################################
##
##f allow domain to signal apache
##
##
##
## Domain to not audit.
##
##
#
define(`apache_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_signal'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_signal'($*)) dnl
')
########################################
##
## allow domain to relabel apache content
##
##
##
## Domain to not audit.
##
##
#
define(`apache_relabel',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_relabel'($*)) dnl
gen_require(`
attribute httpdcontent;
attribute httpd_script_exec_type;
')
allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_relabel'($*)) dnl
')
########################################
##
## Allow the specified domain to search
## apache bugzilla directories.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_bugzilla_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_search_bugzilla_dirs'($*)) dnl
gen_require(`
type httpd_bugzilla_content_t;
')
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_search_bugzilla_dirs'($*)) dnl
')
########################################
##
## Execute apache server in the ntpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apache_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_script_domtrans'($*)) dnl
gen_require(`
type httpd_sys_script_exec_t;
')
init_script_domtrans_spec($1,httpd_sys_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate an apache environment
##
##
##
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the apache domain.
##
##
##
#
define(`apache_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_admin'($*)) dnl
gen_require(`
type httpd_t, httpd_script_exec_t, httpd_config_t;
type httpd_log_t, httpd_modules_t, httpd_lock_t;
type httpd_var_run_t;
attribute httpdcontent;
attribute httpd_script_exec_type;
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
# Allow $1 to restart the apache service
apache_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 httpd_script_exec_t system_r;
allow $2 system_r;
apache_manage_all_content($1)
files_search_etc($1)
manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
manage_files_pattern($1,httpd_config_t,httpd_config_t)
read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
logging_search_logs($1)
manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
manage_files_pattern($1,httpd_log_t,httpd_log_t)
read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
allow $1 httpd_lock_t:file manage_file_perms;
files_lock_filetrans($1, httpd_lock_t, file)
manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
files_pid_filetrans($1,httpd_var_run_t, file)
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
read_files_pattern($1,httpd_t,httpd_t)
read_lnk_files_pattern($1,httpd_t,httpd_t)
allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
seutil_domtrans_restorecon($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_admin'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## bugzill script unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_bugzilla_script_stream_sockets'($*)) dnl
gen_require(`
type httpd_bugzilla_script_t;
')
dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_bugzilla_script_stream_sockets'($*)) dnl
')
## Advanced power management daemon
########################################
##
## Execute APM in the apm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_domtrans_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_domtrans_client'($*)) dnl
gen_require(`
type apm_t, apm_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,apm_exec_t,apm_t)
allow $1 apm_t:fd use;
allow apm_t $1:fd use;
allow apm_t $1:fifo_file rw_file_perms;
allow apm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_domtrans_client'($*)) dnl
')
########################################
##
## Use file descriptors for apmd.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apm_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_use_fds'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_use_fds'($*)) dnl
')
########################################
##
## Write to apmd unnamed pipes.
##
##
##
## The type of the process performing this action.
##
##
#
define(`apm_write_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_write_pipes'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_write_pipes'($*)) dnl
')
########################################
##
## Read and write to an apm unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_rw_stream_sockets'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_rw_stream_sockets'($*)) dnl
')
########################################
##
## Append to apm's log file.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_append_log'($*)) dnl
gen_require(`
type apmd_log_t;
')
logging_search_logs($1)
allow $1 apmd_log_t:file append;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_append_log'($*)) dnl
')
########################################
##
## Connect to apmd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `apm_stream_connect'($*)) dnl
gen_require(`
type apmd_t, apmd_var_run_t;
')
files_search_pids($1)
allow $1 apmd_var_run_t:sock_file write;
allow $1 apmd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `apm_stream_connect'($*)) dnl
')
## Ethernet activity monitor.
########################################
##
## Search arpwatch's data file directories.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_search_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_search_data'($*)) dnl
gen_require(`
type arpwatch_data_t;
')
allow $1 arpwatch_data_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_search_data'($*)) dnl
')
########################################
##
## Create arpwatch data files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_manage_data_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_manage_data_files'($*)) dnl
gen_require(`
type arpwatch_data_t;
')
allow $1 arpwatch_data_t:dir rw_dir_perms;
allow $1 arpwatch_data_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_manage_data_files'($*)) dnl
')
########################################
##
## Read and write arpwatch temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_rw_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_rw_tmp_files'($*)) dnl
gen_require(`
type arpwatch_tmp_t;
')
allow $1 arpwatch_tmp_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_rw_tmp_files'($*)) dnl
')
########################################
##
## Read and write arpwatch temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_manage_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_manage_tmp_files'($*)) dnl
gen_require(`
type arpwatch_tmp_t;
')
allow $1 arpwatch_tmp_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_manage_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## arpwatch packet sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`arpwatch_dontaudit_rw_packet_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl
gen_require(`
type arpwatch_t;
')
dontaudit $1 arpwatch_t:packet_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl
')
## Asterisk IP telephony server
## Generate entropy from audio input
## Filesystem automounter service.
########################################
##
## Execute automount in the automount domain.
##
##
##
## Domain allowed access.
##
##
#
define(`automount_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `automount_domtrans'($*)) dnl
gen_require(`
type automount_t, automount_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, automount_exec_t, automount_t)
allow $1 automount_t:fd use;
allow automount_t $1:fd use;
allow automount_t $1:fifo_file rw_file_perms;
allow automount_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `automount_domtrans'($*)) dnl
')
########################################
##
## Execute automount in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`automount_exec_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `automount_exec_config'($*)) dnl
gen_require(`
type automount_etc_t;
')
corecmd_search_sbin($1)
can_exec($1,automount_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `automount_exec_config'($*)) dnl
')
########################################
##
## Allow the domain to read state files in /proc.
##
##
##
## Domain to allow access.
##
##
#
define(`automount_read_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `automount_read_state'($*)) dnl
gen_require(`
type automount_t;
')
allow $1 automount_t:dir search_dir_perms;
allow $1 automount_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `automount_read_state'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of automount temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`automount_dontaudit_getattr_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `automount_dontaudit_getattr_tmp_dirs'($*)) dnl
gen_require(`
type automount_tmp_t;
')
dontaudit $1 automount_tmp_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `automount_dontaudit_getattr_tmp_dirs'($*)) dnl
')
## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
########################################
##
## Execute avahi server in the avahi domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`avahi_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_domtrans'($*)) dnl
gen_require(`
type avahi_exec_t;
type avahi_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, avahi_exec_t, avahi_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_domtrans'($*)) dnl
')
########################################
##
## Execute avahi server in the avahi domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`avahi_initrc_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_initrc_domtrans'($*)) dnl
gen_require(`
type avahi_initrc_exec_t;
')
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_initrc_domtrans'($*)) dnl
')
########################################
##
## Send avahi a signal
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`avahi_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_signal'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_signal'($*)) dnl
')
########################################
##
## Send avahi a signull
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`avahi_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_signull'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_signull'($*)) dnl
')
########################################
##
## Send avahi a sigkill
##
##
##
## Domain allowed access.
##
##
#
#
define(`avahi_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_sigkill'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_sigkill'($*)) dnl
')
########################################
##
## Send and receive messages from
## avahi over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_dbus_chat'($*)) dnl
gen_require(`
type avahi_t;
class dbus send_msg;
')
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_dbus_chat'($*)) dnl
')
########################################
##
## Connect to avahi using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_stream_connect'($*)) dnl
gen_require(`
type avahi_t, avahi_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_stream_connect'($*)) dnl
')
########################################
##
## Do not audit attempts to search the AVAHI pid directory.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_dontaudit_search_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `avahi_dontaudit_search_pid'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `avahi_dontaudit_search_pid'($*)) dnl
')
## Berkeley internet name domain DNS server.
########################################
##
## Execute ndc in the ndc domain.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_domtrans_ndc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_domtrans_ndc'($*)) dnl
gen_require(`
type ndc_t, ndc_exec_t;
')
domain_auto_trans($1,ndc_exec_t,ndc_t)
allow $1 ndc_t:fd use;
allow ndc_t $1:fd use;
allow ndc_t $1:fifo_file rw_file_perms;
allow ndc_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_domtrans_ndc'($*)) dnl
')
########################################
##
## Send generic signals to BIND.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_signal'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_signal'($*)) dnl
')
########################################
##
## Send signulls to BIND.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_signull'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_signull'($*)) dnl
')
########################################
##
## Send sigkills to BIND.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_sigkill'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_sigkill'($*)) dnl
')
########################################
##
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the bind domain.
##
##
##
##
## The type of the terminal allow the bind domain to use.
##
##
##
#
define(`bind_run_ndc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_run_ndc'($*)) dnl
gen_require(`
type ndc_t;
')
bind_domtrans_ndc($1)
role $2 types ndc_t;
allow ndc_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_run_ndc'($*)) dnl
')
########################################
##
## Execute bind in the named domain.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_domtrans'($*)) dnl
gen_require(`
type named_t, named_exec_t;
')
domain_auto_trans($1,named_exec_t,named_t)
allow $1 named_t:fd use;
allow named_t $1:fd use;
allow named_t $1:fifo_file rw_file_perms;
allow named_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_domtrans'($*)) dnl
')
########################################
##
## Read DNSSEC keys.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_dnssec_keys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_read_dnssec_keys'($*)) dnl
gen_require(`
type named_conf_t, named_zone_t, dnssec_t;
')
allow $1 { named_conf_t named_zone_t }:dir search;
allow $1 dnssec_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_read_dnssec_keys'($*)) dnl
')
########################################
##
## Read BIND named configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_read_config'($*)) dnl
gen_require(`
type named_conf_t;
')
allow $1 named_conf_t:dir search;
allow $1 named_conf_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_read_config'($*)) dnl
')
########################################
##
## Write BIND named configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_write_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_write_config'($*)) dnl
gen_require(`
type named_conf_t;
')
allow $1 named_conf_t:dir search;
allow $1 named_conf_t:file { write setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_write_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## BIND configuration directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_config_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_config_dirs'($*)) dnl
gen_require(`
type named_conf_t;
')
allow $1 named_conf_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_config_dirs'($*)) dnl
')
########################################
##
## Search the BIND cache directory.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_search_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_search_cache'($*)) dnl
gen_require(`
type named_conf_t, named_cache_t, named_zone_t;
')
files_search_var($1)
allow $1 named_conf_t:dir search_dir_perms;
allow $1 named_zone_t:dir search_dir_perms;
allow $1 named_cache_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_search_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## BIND cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_cache'($*)) dnl
gen_require(`
type named_cache_t, named_zone_t;
')
files_search_var($1)
allow $1 named_zone_t:dir search_dir_perms;
allow $1 named_cache_t:dir rw_dir_perms;
allow $1 named_cache_t:file create_file_perms;
allow $1 named_cache_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_cache'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of the BIND pid directory.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_setattr_pid_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_setattr_pid_dirs'($*)) dnl
gen_require(`
type named_var_run_t;
')
allow $1 named_var_run_t:dir setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_setattr_pid_dirs'($*)) dnl
')
########################################
##
## Read BIND zone files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_zone',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_read_zone'($*)) dnl
gen_require(`
type named_zone_t;
')
files_search_var($1)
allow $1 named_zone_t:dir search_dir_perms;
allow $1 named_zone_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_read_zone'($*)) dnl
')
########################################
##
## Send and receive datagrams to and from named. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`bind_udp_chat_named',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bind_udp_chat_named'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bind_udp_chat_named'($*)) dnl
')
## Bluetooth tools and system services.
########################################
##
## Execute bluetooth in the bluetooth domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bluetooth_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans'($*)) dnl
gen_require(`
type bluetooth_t, bluetooth_exec_t;
')
domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
allow bluetooth_t $1:fd use;
allow bluetooth_t $1:fifo_file rw_file_perms;
allow bluetooth_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_domtrans'($*)) dnl
')
########################################
##
## Read bluetooth daemon configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_read_config'($*)) dnl
gen_require(`
type bluetooth_conf_t;
')
allow $1 bluetooth_conf_t:file { getattr read ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_read_config'($*)) dnl
')
########################################
##
## Execute bluetooth_helper in the bluetooth_helper domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`bluetooth_domtrans_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans_helper'($*)) dnl
gen_require(`
type bluetooth_helper_t, bluetooth_helper_exec_t;
')
domain_auto_trans($1,bluetooth_helper_exec_t,bluetooth_helper_t)
allow $1 bluetooth_helper_t:fd use;
allow bluetooth_helper_t $1:fd use;
allow bluetooth_helper_t $1:fifo_file rw_file_perms;
allow bluetooth_helper_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_domtrans_helper'($*)) dnl
')
########################################
##
## Send and receive messages from
## bluetooth over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_dbus_chat'($*)) dnl
gen_require(`
type bluetooth_t;
class dbus send_msg;
')
allow $1 bluetooth_t:dbus send_msg;
allow bluetooth_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_dbus_chat'($*)) dnl
')
########################################
##
## Execute bluetooth_helper in the bluetooth_helper domain, and
## allow the specified role the bluetooth_helper domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the bluetooth_helper domain.
##
##
##
##
## The type of the terminal allow the bluetooth_helper domain to use.
##
##
##
#
define(`bluetooth_run_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_run_helper'($*)) dnl
gen_require(`
type bluetooth_helper_t;
')
bluetooth_domtrans_helper($1)
role $2 types bluetooth_helper_t;
allow bluetooth_helper_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_run_helper'($*)) dnl
')
########################################
##
## Read bluetooth helper files.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_dontaudit_read_helper_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_read_helper_files'($*)) dnl
gen_require(`
type bluetooth_helper_t;
')
dontaudit $1 bluetooth_helper_t:dir search;
dontaudit $1 bluetooth_helper_t:file { read getattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_read_helper_files'($*)) dnl
')
## Canna - kana-kanji conversion server
########################################
##
## Connect to Canna using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`canna_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `canna_stream_connect'($*)) dnl
gen_require(`
type canna_t, canna_var_run_t;
')
files_search_pids($1)
allow $1 canna_var_run_t:dir search;
allow $1 canna_var_run_t:sock_file write;
allow $1 canna_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `canna_stream_connect'($*)) dnl
')
## Cluster Configuration System
########################################
##
## Execute a domain transition to run ccs.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ccs_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ccs_domtrans'($*)) dnl
gen_require(`
type ccs_t, ccs_exec_t;
')
domain_auto_trans($1,ccs_exec_t,ccs_t)
allow ccs_t $1:fd use;
allow ccs_t $1:fifo_file rw_file_perms;
allow ccs_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ccs_domtrans'($*)) dnl
')
########################################
##
## Connect to ccs over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ccs_stream_connect'($*)) dnl
gen_require(`
type ccs_t, ccs_var_run_t;
')
files_search_pids($1)
allow $1 ccs_var_run_t:dir list_dir_perms;
allow $1 ccs_var_run_t:sock_file write;
allow $1 ccs_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ccs_stream_connect'($*)) dnl
')
########################################
##
## Read cluster configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ccs_read_config'($*)) dnl
gen_require(`
type cluster_conf_t;
')
allow $1 cluster_conf_t:dir search_dir_perms;
allow $1 cluster_conf_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ccs_read_config'($*)) dnl
')
########################################
##
## Manage cluster configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_manage_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ccs_manage_config'($*)) dnl
gen_require(`
type cluster_conf_t;
')
allow $1 cluster_conf_t:dir manage_dir_perms;
allow $1 cluster_conf_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ccs_manage_config'($*)) dnl
')
## Encrypted tunnel daemon
## ClamAV Virus Scanner
########################################
##
## Execute a domain transition to run clamd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clamav_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_domtrans'($*)) dnl
gen_require(`
type clamd_t, clamd_exec_t;
')
domain_auto_trans($1,clamd_exec_t,clamd_t)
allow $1 clamd_t:fd use;
allow clamd_t $1:fd use;
allow clamd_t $1:fifo_file rw_file_perms;
allow clamd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_domtrans'($*)) dnl
')
########################################
##
## Connect to run clamd.
##
##
##
## Domain allowed to connect.
##
##
#
define(`clamav_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_stream_connect'($*)) dnl
gen_require(`
type clamd_t, clamd_var_run_t;
')
allow $1 clamd_var_run_t:dir search;
allow $1 clamd_var_run_t:sock_file write;
allow $1 clamd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_stream_connect'($*)) dnl
')
########################################
##
## Read clamav configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_read_config'($*)) dnl
gen_require(`
type clamd_etc_t;
')
files_search_etc($1)
allow $1 clamd_etc_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_read_config'($*)) dnl
')
########################################
##
## Search clamav libraries directories.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_search_lib'($*)) dnl
gen_require(`
type clamd_var_lib_t;
')
files_search_var_lib($1)
allow $1 clamd_var_lib_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_search_lib'($*)) dnl
')
########################################
##
## Execute a domain transition to run clamscan.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_domtrans_clamscan',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_domtrans_clamscan'($*)) dnl
gen_require(`
type clamscan_t, clamscan_exec_t;
')
domain_auto_trans($1,clamscan_exec_t,clamscan_t)
allow clamscan_t $1:fd use;
allow clamscan_t $1:fifo_file rw_file_perms;
allow clamscan_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_domtrans_clamscan'($*)) dnl
')
########################################
##
## Execute clamscan without a transition.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_exec_clamscan',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clamav_exec_clamscan'($*)) dnl
gen_require(`
type clamscan_exec_t;
')
can_exec($1,clamscan_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clamav_exec_clamscan'($*)) dnl
')
## Clockspeed simple network time protocol client
########################################
##
## Execute clockspeed utilities in the clockspeed_cli domain.
##
##
##
## Domain allowed access.
##
##
#
define(`clockspeed_domtrans_cli',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clockspeed_domtrans_cli'($*)) dnl
gen_require(`
type clockspeed_cli_t, clockspeed_cli_exec_t;
')
domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
allow clockspeed_cli_t $1:fd use;
allow clockspeed_cli_t $1:fifo_file { read write };
allow clockspeed_cli_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clockspeed_domtrans_cli'($*)) dnl
')
########################################
##
## Allow the specified role the clockspeed_cli domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the clockspeed_cli domain.
##
##
##
##
## The type of the terminal allow the clockspeed_cli domain to use.
##
##
##
#
define(`clockspeed_run_cli',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clockspeed_run_cli'($*)) dnl
gen_require(`
type clockspeed_cli_t;
')
role $2 types clockspeed_cli_t;
clockspeed_domtrans_cli($1)
allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clockspeed_run_cli'($*)) dnl
')
## Comsat, a biff server.
## Courier IMAP and POP3 email servers
########################################
##
## Template for creating courier server processes.
##
##
##
## Prefix name of the server process.
##
##
#
define(`courier_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `courier_domain_template'($*)) dnl
##############################
#
# Declarations
#
type courier_$1_t;
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t,courier_$1_exec_t)
##############################
#
# Declarations
#
allow courier_$1_t self:capability dac_override;
dontaudit courier_$1_t self:capability sys_tty_config;
allow courier_$1_t self:process { setpgid signal_perms };
allow courier_$1_t self:fifo_file { read write getattr };
allow courier_$1_t self:tcp_socket create_stream_socket_perms;
allow courier_$1_t self:udp_socket create_socket_perms;
can_exec(courier_$1_t, courier_$1_exec_t)
allow courier_$1_t courier_etc_t:file r_file_perms;
allow courier_$1_t courier_etc_t:dir r_dir_perms;
allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
allow courier_$1_t courier_var_run_t:file create_file_perms;
allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
files_search_pids(courier_$1_t)
kernel_read_system_state(courier_$1_t)
kernel_read_kernel_sysctls(courier_$1_t)
corecmd_exec_bin(courier_$1_t)
corenet_non_ipsec_sendrecv(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
corenet_udp_sendrecv_all_nodes(courier_$1_t)
corenet_tcp_sendrecv_all_ports(courier_$1_t)
corenet_udp_sendrecv_all_ports(courier_$1_t)
dev_read_sysfs(courier_$1_t)
domain_use_interactive_fds(courier_$1_t)
files_read_etc_files(courier_$1_t)
files_read_etc_runtime_files(courier_$1_t)
files_read_usr_files(courier_$1_t)
fs_getattr_xattr_fs(courier_$1_t)
fs_search_auto_mountpoints(courier_$1_t)
term_dontaudit_use_console(courier_$1_t)
init_use_fds(courier_$1_t)
init_use_script_ptys(courier_$1_t)
libs_use_ld_so(courier_$1_t)
libs_use_shared_libs(courier_$1_t)
logging_send_syslog_msg(courier_$1_t)
sysnet_read_config(courier_$1_t)
userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(courier_$1_t)
term_dontaudit_use_generic_ptys(courier_$1_t)
files_dontaudit_read_root_files(courier_$1_t)
')
optional_policy(`
seutil_sigchld_newrole(courier_$1_t)
')
optional_policy(`
udev_read_db(courier_$1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `courier_domain_template'($*)) dnl
')
########################################
##
## Execute the courier authentication daemon with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_domtrans_authdaemon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `courier_domtrans_authdaemon'($*)) dnl
gen_require(`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
allow courier_authdaemon_t $1:fd use;
allow courier_authdaemon_t $1:fifo_file rw_file_perms;
allow courier_authdaemon_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `courier_domtrans_authdaemon'($*)) dnl
')
########################################
##
## Execute the courier POP3 and IMAP server with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_domtrans_pop',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `courier_domtrans_pop'($*)) dnl
gen_require(`
type courier_pop_t, courier_pop_exec_t;
')
domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
allow courier_pop_t $1:fd use;
allow courier_pop_t $1:fifo_file rw_file_perms;
allow courier_pop_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `courier_domtrans_pop'($*)) dnl
')
## Services for loading CPU microcode and CPU frequency scaling.
########################################
##
## CPUcontrol stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`cpucontrol_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cpucontrol_stub'($*)) dnl
gen_require(`
type cpucontrol_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cpucontrol_stub'($*)) dnl
')
## Periodic execution of scheduled commands.
#######################################
##
## The per role template for the cron module.
##
##
##
## This template creates a derived domains which are used
## for running programs on behalf of the user, from cron.
## A type for the user crontab is also created.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`cron_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_per_role_template'($*)) dnl
gen_require(`
class context contains;
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
')
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
type $1_crond_t;
domain_type($1_crond_t)
domain_cron_exemption_target($1_crond_t)
corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t;
type $1_crontab_t;
domain_type($1_crontab_t)
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
##############################
#
# $1_crond_t local policy
#
allow $1_crond_t self:capability dac_override;
allow $1_crond_t self:process { signal_perms setsched };
allow $1_crond_t self:fifo_file rw_file_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
allow $1_crond_t self:context contains;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
# the crontab file has a type that is appropriate
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
allow $1_crond_t $1_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t $1_crond_t:process transition;
dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
allow crond_t $1_crond_t:fd use;
allow $1_crond_t crond_t:fd use;
allow $1_crond_t crond_t:fifo_file rw_file_perms;
allow $1_crond_t crond_t:process sigchld;
kernel_read_system_state($1_crond_t)
kernel_read_kernel_sysctls($1_crond_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot($1_crond_t)
corenet_non_ipsec_sendrecv($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
corenet_tcp_sendrecv_all_nodes($1_crond_t)
corenet_udp_sendrecv_all_nodes($1_crond_t)
corenet_tcp_sendrecv_all_ports($1_crond_t)
corenet_udp_sendrecv_all_ports($1_crond_t)
corenet_tcp_connect_all_ports($1_crond_t)
corenet_sendrecv_all_client_packets($1_crond_t)
dev_read_urand($1_crond_t)
fs_getattr_all_fs($1_crond_t)
corecmd_exec_all_executables($1_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state($1_crond_t)
domain_dontaudit_getattr_all_domains($1_crond_t)
files_read_etc_files($1_crond_t)
files_read_etc_runtime_files($1_crond_t)
files_read_usr_files($1_crond_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_crond_t)
files_read_world_readable_files($1_crond_t)
files_read_world_readable_symlinks($1_crond_t)
files_read_world_readable_pipes($1_crond_t)
files_read_world_readable_sockets($1_crond_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_crond_t)
files_dontaudit_getattr_non_security_files($1_crond_t)
files_dontaudit_getattr_non_security_symlinks($1_crond_t)
files_dontaudit_getattr_non_security_pipes($1_crond_t)
files_dontaudit_getattr_non_security_sockets($1_crond_t)
files_dontaudit_getattr_non_security_blk_files($1_crond_t)
files_dontaudit_getattr_non_security_chr_files($1_crond_t)
files_exec_etc_files($1_crond_t)
files_search_locks($1_crond_t)
# Check to see if cdrom is mounted
files_search_mnt($1_crond_t)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_crond_t)
files_read_var_symlinks($1_crond_t)
files_read_generic_spool($1_crond_t)
files_read_var_lib_files($1_crond_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_crond_t)
fs_get_all_fs_quotas($1_crond_t)
fs_getattr_all_fs($1_crond_t)
fs_getattr_all_dirs($1_crond_t)
fs_search_auto_mountpoints($1_crond_t)
fs_list_inotifyfs($1_crond_t)
# for nscd:
files_dontaudit_search_pids($1_crond_t)
libs_use_ld_so($1_crond_t)
libs_use_shared_libs($1_crond_t)
libs_exec_lib_files($1_crond_t)
libs_exec_ld_so($1_crond_t)
files_read_etc_runtime_files($1_crond_t)
files_read_var_files($1_crond_t)
files_search_spool($1_crond_t)
logging_search_logs($1_crond_t)
seutil_read_config($1_crond_t)
miscfiles_read_localization($1_crond_t)
mls_rangetrans_target($1_crond_t)
userdom_manage_user_tmp_files($1,$1_crond_t)
userdom_manage_user_tmp_symlinks($1,$1_crond_t)
userdom_manage_user_tmp_pipes($1,$1_crond_t)
userdom_manage_user_tmp_sockets($1,$1_crond_t)
userdom_transition_user_tmp($1,$1_crond_t, { lnk_file file dir fifo_file })
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files($1,$1_crond_t)
# Access user files and dirs.
userdom_manage_user_home_content_dirs($1,$1_crond_t)
userdom_manage_user_home_content_files($1,$1_crond_t)
userdom_manage_user_home_content_symlinks($1,$1_crond_t)
userdom_manage_user_home_content_pipes($1,$1_crond_t)
userdom_manage_user_home_content_sockets($1,$1_crond_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file create_file_perms;
')
optional_policy(`
nis_use_ypbind($1_crond_t)
')
optional_policy(`
mta_send_mail($1_crond_t)
mta_mailcontent($1_cron_spool_t)
')
optional_policy(`
nscd_socket_use($1_crond_t)
')
##############################
#
# $1_crontab_t local policy
#
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
# Transition from the user domain to the derived domain.
domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
allow $2 $1_crontab_t:fd use;
allow $1_crontab_t $2:fd use;
allow $1_crontab_t $2:fifo_file rw_file_perms;
allow $1_crontab_t $2:process sigchld;
# crontab shows up in user ps
allow $2 $1_crontab_t:dir { search getattr read };
allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
allow $2 $1_crontab_t:process getattr;
# for ^Z
allow $2 $1_crontab_t:process { signal sigchld };
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file create_file_perms;
# create files in /var/spool/cron
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
files_search_spool($1_crontab_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
kernel_read_system_state($1_crontab_t)
# for the checks used by crontab -u
selinux_dontaudit_search_fs($1_crontab_t)
fs_getattr_xattr_fs($1_crontab_t)
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t,$2)
corecmd_sbin_domtrans($1_crontab_t,$2)
corecmd_shell_domtrans($1_crontab_t,$2)
domain_use_interactive_fds($1_crontab_t)
files_read_etc_files($1_crontab_t)
files_dontaudit_search_pids($1_crontab_t)
libs_use_ld_so($1_crontab_t)
libs_use_shared_libs($1_crontab_t)
logging_send_syslog_msg($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
seutil_read_config($1_crontab_t)
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
userdom_transition_user_tmp($1,$1_crontab_t, { file dir })
# Access terminals.
userdom_use_user_terminals($1,$1_crontab_t)
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
userdom_transition_user_tmp($1,$1_crontab_t, { lnk_file file dir fifo_file })
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
dontaudit $1_crontab_t crond_t:process signal;
')
optional_policy(`
nscd_socket_use($1_crontab_t)
')
ifdef(`TODO',`
# Read user crontabs
dontaudit $1_crontab_t $1_home_dir_t:dir write;
') dnl endif TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_per_role_template'($*)) dnl
')
#######################################
##
## The administrative functions template for the cron module.
##
##
##
## This template creates rules for administrating the cron service,
## allowing the specified user to manage other user crontabs.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`cron_admin_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_admin_template'($*)) dnl
gen_require(`
attribute cron_spool_type;
type $1_crontab_t, $1_crond_t;
')
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
logging_read_generic_logs($1_crond_t)
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
selinux_compute_access_vector($1_crontab_t)
selinux_compute_create_context($1_crontab_t)
selinux_compute_relabel_context($1_crontab_t)
selinux_compute_user_contexts($1_crontab_t)
tunable_policy(`fcron_crond', `
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow $1_crontab_t self:process setfscreate;
selinux_get_fs_mount($1_crontab_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_admin_template'($*)) dnl
')
########################################
##
## Make the specified program domain accessable
## from the system cron jobs.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
define(`cron_system_entry',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_system_entry'($*)) dnl
gen_require(`
type crond_t, system_crond_t;
')
domain_auto_trans(system_crond_t, $2, $1)
# cjp: perhaps these four rules from the old
# domain_auto_trans are not needed?
allow $1 system_crond_t:fd use;
allow $1 system_crond_t:fifo_file rw_file_perms;
allow $1 system_crond_t:process sigchld;
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
role system_r types $1;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_system_entry'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor
## from the cron daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_use_fds'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the cron daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_sigchld'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_sigchld'($*)) dnl
')
########################################
##
## Read a cron daemon unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_read_pipes'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_read_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_dontaudit_write_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_pipes'($*)) dnl
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_pipes'($*)) dnl
')
########################################
##
## Read and write a cron daemon unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_pipes'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fifo_file { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_pipes'($*)) dnl
')
########################################
##
## Read temporary files from cron.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_read_tmp_files'($*)) dnl
gen_require(`
type crond_tmp_t;
')
files_search_tmp($1)
allow $1 crond_tmp_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_read_tmp_files'($*)) dnl
')
########################################
##
## Read, and write cron daemon TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_tcp_sockets'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Search the directory containing user cron tables.
##
##
##
## The type of the process to performing this action.
##
##
#
define(`cron_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_search_spool'($*)) dnl
gen_require(`
type cron_spool_t;
')
files_search_spool($1)
allow $1 cron_spool_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_search_spool'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor
## from system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_use_system_job_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_use_system_job_fds'($*)) dnl
gen_require(`
type system_crond_t;
')
allow $1 system_crond_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_use_system_job_fds'($*)) dnl
')
########################################
##
## Write a system cron job unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_write_system_job_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_write_system_job_pipes'($*)) dnl
gen_require(`
type system_crond_t;
')
allow $1 system_crond_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_write_system_job_pipes'($*)) dnl
')
########################################
##
## Read and write a system cron job unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_system_job_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_pipes'($*)) dnl
gen_require(`
type system_crond_t;
')
allow $1 system_crond_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_system_job_pipes'($*)) dnl
')
########################################
##
## Read temporary files from the system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_system_job_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_read_system_job_tmp_files'($*)) dnl
gen_require(`
type system_crond_tmp_t;
')
files_search_tmp($1)
allow $1 system_crond_tmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_read_system_job_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append temporary
## files from the system cron jobs.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_append_system_job_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_append_system_job_tmp_files'($*)) dnl
gen_require(`
type system_crond_tmp_t;
')
dontaudit $1 system_crond_tmp_t:file append;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_append_system_job_tmp_files'($*)) dnl
')
########################################
##
## dontaudit Read, and write cron daemon TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_dontaudit_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Manage runtime files used by cron
##
##
##
## Domain allowed access.
##
##
#
define(`cron_manage_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cron_manage_pid_files'($*)) dnl
gen_require(`
type crond_var_run_t;
')
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cron_manage_pid_files'($*)) dnl
')
## Common UNIX printing system
########################################
##
## Execute cups in the cups domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`cups_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_domtrans'($*)) dnl
gen_require(`
type cupsd_t, cupsd_exec_t;
')
domtrans_pattern($1, cupsd_exec_t, cupsd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_domtrans'($*)) dnl
')
########################################
##
## Setup cups to transtion to the cups backend domain
##
##
##
## The type of the process performing this action.
##
##
#
define(`cups_backend',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_backend'($*)) dnl
gen_require(`
type cupsd_t;
')
domtrans_pattern(cupsd_t, $2, $1)
allow cupsd_t $1:process signal;
allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
cups_read_config($1)
cups_append_log($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_backend'($*)) dnl
')
########################################
##
## Connect to cupsd over an unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_stream_connect'($*)) dnl
gen_require(`
type cupsd_t, cupsd_var_run_t;
')
files_search_pids($1)
allow $1 cupsd_var_run_t:dir search;
allow $1 cupsd_var_run_t:sock_file { getattr write };
allow $1 cupsd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_stream_connect'($*)) dnl
')
########################################
##
## Connect to cups over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`cups_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_tcp_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## cups over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_dbus_chat'($*)) dnl
gen_require(`
type cupsd_t;
class dbus send_msg;
')
allow $1 cupsd_t:dbus send_msg;
allow cupsd_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_dbus_chat'($*)) dnl
')
########################################
##
## Read cups PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_read_pid_files'($*)) dnl
gen_require(`
type cupsd_var_run_t;
')
files_search_pids($1)
allow $1 cupsd_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_read_pid_files'($*)) dnl
')
########################################
##
## Execute cups_config in the cups_config domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`cups_domtrans_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_domtrans_config'($*)) dnl
gen_require(`
type cupsd_config_t, cupsd_config_exec_t;
')
domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
allow $1 cupsd_config_t:fd use;
allow cupsd_config_t $1:fd use;
allow cupsd_config_t $1:fifo_file rw_file_perms;
allow cupsd_config_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_domtrans_config'($*)) dnl
')
########################################
##
## Send generic signals to the cups
## configuration daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_signal_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_signal_config'($*)) dnl
gen_require(`
type cupsd_config_t;
')
allow $1 cupsd_config_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_signal_config'($*)) dnl
')
########################################
##
## Send and receive messages from
## cupsd_config over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_dbus_chat_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_dbus_chat_config'($*)) dnl
gen_require(`
type cupsd_config_t;
class dbus send_msg;
')
allow $1 cupsd_config_t:dbus send_msg;
allow cupsd_config_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_dbus_chat_config'($*)) dnl
')
########################################
##
## Read cups configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_read_config'($*)) dnl
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
')
files_search_etc($1)
allow $1 cupsd_etc_t:dir search_dir_perms;
allow $1 cupsd_etc_t:file { getattr read };
allow $1 cupsd_rw_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_read_config'($*)) dnl
')
########################################
##
## Read cups-writable configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_read_rw_config'($*)) dnl
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
')
files_search_etc($1)
allow $1 cupsd_etc_t:dir search_dir_perms;
allow $1 cupsd_rw_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_read_rw_config'($*)) dnl
')
########################################
##
## Read cups log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_read_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
allow $1 cupsd_log_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_read_log'($*)) dnl
')
########################################
##
## Append cups log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_append_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, cupsd_log_t, cupsd_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_append_log'($*)) dnl
')
########################################
##
## Write cups log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_write_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_write_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
allow $1 cupsd_log_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_write_log'($*)) dnl
')
########################################
##
## Connect to ptal over an unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_stream_connect_ptal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cups_stream_connect_ptal'($*)) dnl
gen_require(`
type ptal_t, ptal_var_run_t;
')
files_search_pids($1)
allow $1 ptal_var_run_t:dir search;
allow $1 ptal_var_run_t:sock_file write;
allow $1 ptal_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cups_stream_connect_ptal'($*)) dnl
')
## Concurrent versions system
########################################
##
## Read the CVS data and metadata.
##
##
##
## Domain allowed access.
##
##
#
define(`cvs_read_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cvs_read_data'($*)) dnl
gen_require(`
type cvs_data_t;
')
allow $1 cvs_data_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cvs_read_data'($*)) dnl
')
########################################
##
## Allow the specified domain to execute cvs
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`cvs_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cvs_exec'($*)) dnl
gen_require(`
type cvs_exec_t;
')
can_exec($1,cvs_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cvs_exec'($*)) dnl
')
## Cyrus is an IMAP service intended to be run on sealed servers
########################################
##
## Allow caller to create, read, write,
## and delete cyrus data files.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_manage_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cyrus_manage_data'($*)) dnl
gen_require(`
type cyrus_var_lib_t;
')
files_search_var_lib($1)
allow $1 cyrus_var_lib_t:dir rw_dir_perms;
allow $1 cyrus_var_lib_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cyrus_manage_data'($*)) dnl
')
########################################
##
## Connect to Cyrus using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `cyrus_stream_connect'($*)) dnl
gen_require(`
type cyrus_t, cyrus_var_lib_t;
')
files_search_var_lib($1)
allow $1 cyrus_var_lib_t:dir search;
allow $1 cyrus_var_lib_t:sock_file write;
allow $1 cyrus_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `cyrus_stream_connect'($*)) dnl
')
## Dante msproxy and socks4/5 proxy server
## Dictionary server for the SKK Japanese input method system.
## Desktop messaging bus
########################################
##
## DBUS stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`dbus_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_stub'($*)) dnl
gen_require(`
type system_dbusd_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_stub'($*)) dnl
')
#######################################
##
## The per role template for the dbus module.
##
##
##
## This template creates a derived domain which is
## used for the user dbus.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`dbus_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_per_role_template'($*)) dnl
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
class dbus { send_msg acquire_svc };
')
##############################
#
# Delcarations
#
type $1_dbusd_t;
domain_type($1_dbusd_t)
domain_entry_file($1_dbusd_t,system_dbusd_exec_t)
role $3 types $1_dbusd_t;
type $1_dbusd_$1_t;
type $1_dbusd_tmp_t;
files_tmp_file($1_dbusd_tmp_t)
##############################
#
# Local policy
#
allow $1_dbusd_t self:process { getattr sigkill signal ptrace };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
logging_send_audit_msgs($1_dbusd_t)
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms;
allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms;
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
domain_use_interactive_fds($1_dbusd_t)
domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t)
allow $2 $1_dbusd_t:fd use;
allow $1_dbusd_t $2:fd use;
allow $1_dbusd_t $2:fifo_file rw_file_perms;
allow $1_dbusd_t $2:process sigchld;
allow $2 $1_dbusd_t:process { sigkill signal };
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
corenet_non_ipsec_sendrecv($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
corenet_tcp_bind_all_nodes($1_dbusd_t)
corenet_tcp_bind_reserved_port($1_dbusd_t)
dev_read_urand($1_dbusd_t)
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
selinux_compute_access_vector($1_dbusd_t)
selinux_compute_create_context($1_dbusd_t)
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_t $1_dbusd_t:fd use;
allow $1_t $1_dbusd_t:fifo_file rw_file_perms;
allow $1_t $1_dbusd_t:process sigchld;
ifdef(`hide_broken_symptoms', `
dontaudit $1_t $1_dbusd_t:netlink_selinux_socket { read write };
');
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
corecmd_list_sbin($1_dbusd_t)
corecmd_read_sbin_symlinks($1_dbusd_t)
corecmd_read_sbin_files($1_dbusd_t)
corecmd_read_sbin_pipes($1_dbusd_t)
corecmd_read_sbin_sockets($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
files_read_usr_files($1_dbusd_t)
files_dontaudit_search_var($1_dbusd_t)
userdom_read_user_home_content_files($1, $1_dbusd_t)
auth_read_pam_console_data($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
logging_send_syslog_msg($1_dbusd_t)
miscfiles_read_localization($1_dbusd_t)
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
sysnet_read_config($1_dbusd_t)
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
files_read_default_symlinks($1_dbusd_t)
files_read_default_sockets($1_dbusd_t)
files_read_default_pipes($1_dbusd_t)
')
optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
optional_policy(`
nscd_socket_use($1_dbusd_t)
')
optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_per_role_template'($*)) dnl
')
#######################################
##
## Template for creating connections to
## the system DBUS.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the domain.
##
##
#
define(`dbus_system_bus_client_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_bus_client_template'($*)) dnl
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
')
# type $1_dbusd_system_t;
# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
allow $2 { system_dbusd_t $2 }:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
# For connecting to the bus
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
optional_policy(`
rpm_script_dbus_chat($2)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_bus_client_template'($*)) dnl
')
#######################################
##
## Template for creating connections to
## a user DBUS.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the domain.
##
##
#
define(`dbus_user_bus_client_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_user_bus_client_template'($*)) dnl
gen_require(`
type $1_dbusd_t;
class dbus send_msg;
')
type $2_dbusd_$1_t;
type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
# SE-DBus specific permissions
allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_user_bus_client_template'($*)) dnl
')
########################################
##
## Send a message on user/application specific DBUS.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_send_user_bus',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_send_user_bus'($*)) dnl
gen_require(`
type $1_dbusd_t;
class dbus send_msg;
')
allow $2 $1_dbusd_t:dbus send_msg;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_send_user_bus'($*)) dnl
')
########################################
##
## connectto a message on user/application specific DBUS.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_connectto_user_bus',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_connectto_user_bus'($*)) dnl
gen_require(`
type $1_dbusd_t;
')
allow $2 $1_dbusd_t:unix_stream_socket connectto;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_connectto_user_bus'($*)) dnl
')
########################################
##
## Read dbus configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_read_config'($*)) dnl
gen_require(`
type dbusd_etc_t;
')
allow $1 dbusd_etc_t:dir list_dir_perms;
allow $1 dbusd_etc_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_read_config'($*)) dnl
')
########################################
##
## Connect to the the system DBUS
## for service (acquire_svc).
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_connect_system_bus',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_connect_system_bus'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_connect_system_bus'($*)) dnl
')
########################################
##
## Send a message on the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_send_system_bus',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_send_system_bus'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus send_msg;
')
allow $1 system_dbusd_t:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_send_system_bus'($*)) dnl
')
########################################
##
## Allow unconfined access to the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_system_bus_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_bus_unconfined'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
allow $1 system_dbusd_t:dbus *;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_bus_unconfined'($*)) dnl
')
########################################
##
## dontaudit attempts to use system_dbus_t selinux_socket
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_dontaudit_rw_system_selinux_socket',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_rw_system_selinux_socket'($*)) dnl
gen_require(`
type system_dbusd_t;
')
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_dontaudit_rw_system_selinux_socket'($*)) dnl
')
########################################
##
## Create a domain for processes
## which can be started by the system dbus
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`dbus_system_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_domain'($*)) dnl
gen_require(`
type system_dbusd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domtrans_pattern(system_dbusd_t,$2,$1)
dbus_system_bus_client_template($1,$1)
dbus_connect_system_bus($1)
ifdef(`hide_broken_symptoms', `
dbus_dontaudit_rw_system_selinux_socket($1)
');
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_domain'($*)) dnl
')
## Distributed checksum clearinghouse spam filtering
########################################
##
## Execute cdcc in the cdcc domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_domtrans_cdcc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_cdcc'($*)) dnl
gen_require(`
type cdcc_t, cdcc_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,cdcc_exec_t,cdcc_t)
allow cdcc_t $1:fd use;
allow cdcc_t $1:fifo_file rw_file_perms;
allow cdcc_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_cdcc'($*)) dnl
')
########################################
##
## Execute cdcc in the cdcc domain, and
## allow the specified role the cdcc domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the cdcc domain.
##
##
##
##
## The type of the terminal allow the cdcc domain to use.
##
##
##
#
define(`dcc_run_cdcc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_cdcc'($*)) dnl
gen_require(`
type cdcc_t;
')
dcc_domtrans_cdcc($1)
role $2 types cdcc_t;
allow cdcc_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_cdcc'($*)) dnl
')
########################################
##
## Execute dcc_client in the dcc_client domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_domtrans_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_client'($*)) dnl
gen_require(`
type dcc_client_t, dcc_client_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
allow dcc_client_t $1:fd use;
allow dcc_client_t $1:fifo_file rw_file_perms;
allow dcc_client_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_client'($*)) dnl
')
########################################
##
## Send a signal to the dcc_client.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_signal_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_signal_client'($*)) dnl
gen_require(`
type dcc_client_t;
')
allow $1 dcc_client_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_signal_client'($*)) dnl
')
########################################
##
## Execute dcc_client in the dcc_client domain, and
## allow the specified role the dcc_client domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the dcc_client domain.
##
##
##
##
## The type of the terminal allow the dcc_client domain to use.
##
##
##
#
define(`dcc_run_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_client'($*)) dnl
gen_require(`
type dcc_client_t;
')
dcc_domtrans_client($1)
role $2 types dcc_client_t;
allow dcc_client_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_client'($*)) dnl
')
########################################
##
## Execute dbclean in the dcc_dbclean domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_domtrans_dbclean',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_dbclean'($*)) dnl
gen_require(`
type dcc_dbclean_t, dcc_dbclean_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
allow dcc_dbclean_t $1:fd use;
allow dcc_dbclean_t $1:fifo_file rw_file_perms;
allow dcc_dbclean_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_dbclean'($*)) dnl
')
########################################
##
## Execute dbclean in the dcc_dbclean domain, and
## allow the specified role the dcc_dbclean domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the dcc_dbclean domain.
##
##
##
##
## The type of the terminal allow the dcc_dbclean domain to use.
##
##
##
#
define(`dcc_run_dbclean',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_dbclean'($*)) dnl
gen_require(`
type dcc_dbclean_t;
')
dcc_domtrans_dbclean($1)
role $2 types dcc_dbclean_t;
allow dcc_dbclean_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_dbclean'($*)) dnl
')
########################################
##
## Connect to dccifd over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_stream_connect_dccifd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dcc_stream_connect_dccifd'($*)) dnl
gen_require(`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
files_search_var($1)
allow $1 dcc_var_t:dir search;
allow $1 dccifd_var_run_t:sock_file { getattr write };
allow $1 dccifd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dcc_stream_connect_dccifd'($*)) dnl
')
## Update dynamic IP address at DynDNS.org
#######################################
##
## Execute ddclient in the ddclient domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ddclient_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ddclient_domtrans'($*)) dnl
gen_require(`
type ddclient_t, ddclient_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, ddclient_exec_t, ddclient_t)
allow $1 ddclient_t:fd use;
allow ddclient_t $1:fd use;
allow ddclient_t $1:fifo_file rw_file_perms;
allow ddclient_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ddclient_domtrans'($*)) dnl
')
## Dynamic host configuration protocol (DHCP) server
########################################
##
## Set the attributes of the DCHP
## server state files.
##
##
##
## Domain allowed access.
##
##
#
define(`dhcpd_setattr_state_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_setattr_state_files'($*)) dnl
gen_require(`
type dhcpd_state_t;
')
sysnet_search_dhcp_state($1)
allow $1 dhcpd_state_t:file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_setattr_state_files'($*)) dnl
')
## Dictionary daemon
########################################
##
## Use dictionary services by connecting
## over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`dictd_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dictd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dictd_tcp_connect'($*)) dnl
')
## Distributed compiler daemon
## small and secure DNS daemon
########################################
##
## Create a set of derived types for djbdns
## components that are directly supervised by daemontools.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`djbdns_daemontools_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `djbdns_daemontools_domain_template'($*)) dnl
type djbdns_$1_t;
type djbdns_$1_exec_t;
type djbdns_$1_conf_t;
files_config_file(djbdns_$1_conf_t)
domain_type(djbdns_$1_t)
domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t)
role system_r types djbdns_$1_t;
daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
daemontools_read_svc(djbdns_$1_t)
allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
corenet_non_ipsec_sendrecv(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
corenet_udp_sendrecv_all_ports(djbdns_$1_t)
corenet_tcp_bind_all_nodes(djbdns_$1_t)
corenet_udp_bind_all_nodes(djbdns_$1_t)
corenet_tcp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_generic_port(djbdns_$1_t)
corenet_sendrecv_dns_server_packets(djbdns_$1_t)
corenet_sendrecv_generic_server_packets(djbdns_$1_t)
files_search_var(djbdns_$1_t)
libs_use_ld_so(djbdns_$1_t)
libs_use_shared_libs(djbdns_$1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `djbdns_daemontools_domain_template'($*)) dnl
')
## dnsmasq DNS forwarder and DHCP server
########################################
##
## Read dnsmasq pid files
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_read_pid_files'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_read_pid_files'($*)) dnl
')
########################################
##
## Delete dnsmasq pid files
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_delete_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_delete_pid_files'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_delete_pid_files'($*)) dnl
')
########################################
##
## Execute dnsmasq server in the dnsmasq domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`dnsmasq_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_domtrans'($*)) dnl
gen_require(`
type dnsmasq_exec_t;
type dnsmasq_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_domtrans'($*)) dnl
')
########################################
##
## Execute dnsmasq server in the dnsmasq domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`dnsmasq_initrc_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_initrc_domtrans'($*)) dnl
gen_require(`
type dnsmasq_script_exec_t;
')
init_script_domtrans_spec($1, dnsmasq_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_initrc_domtrans'($*)) dnl
')
########################################
##
## Send dnsmasq a signal
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`dnsmasq_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_signal'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_signal'($*)) dnl
')
########################################
##
## Send dnsmasq a signull
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_signull'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_signull'($*)) dnl
')
########################################
##
## Send dnsmasq a sigkill
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_sigkill'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_sigkill'($*)) dnl
')
## Dovecot POP and IMAP mail server
########################################
##
## Create, read, write, and delete the dovecot spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`dovecot_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dovecot_manage_spool'($*)) dnl
gen_require(`
type dovecot_spool_t;
')
allow $1 dovecot_spool_t:dir rw_dir_perms;
allow $1 dovecot_spool_t:file create_file_perms;
allow $1 dovecot_spool_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dovecot_manage_spool'($*)) dnl
')
########################################
##
## Connect to dovecot auth unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dovecot_auth_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dovecot_auth_stream_connect'($*)) dnl
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
allow $1 dovecot_var_run_t:dir search;
allow $1 dovecot_var_run_t:sock_file write;
allow $1 dovecot_auth_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dovecot_auth_stream_connect'($*)) dnl
')
########################################
##
## Execute dovecot_deliver in the dovecot_deliver domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dovecot_domtrans_deliver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dovecot_domtrans_deliver'($*)) dnl
gen_require(`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
domain_auto_trans($1,dovecot_deliver_exec_t,dovecot_deliver_t)
allow dovecot_deliver_t $1:fd use;
allow dovecot_deliver_t $1:fifo_file rw_file_perms;
allow dovecot_deliver_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dovecot_domtrans_deliver'($*)) dnl
')
#######################################
##
## Do not audit attempts to delete dovecot lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`dovecot_dontaudit_unlink_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `dovecot_dontaudit_unlink_lib_files'($*)) dnl
gen_require(`
type dovecot_var_lib_t;
')
dontaudit $1 dovecot_var_lib_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `dovecot_dontaudit_unlink_lib_files'($*)) dnl
')
## Exim service
########################################
##
## Permit transitions to the exim domain
##
##
##
## Domain allowed access.
##
##
#
define(`exim_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_domtrans'($*)) dnl
gen_require(`
type exim_t;
type exim_exec_t;
')
corecmd_search_sbin($1)
domtrans_pattern($1, exim_exec_t, exim_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_domtrans'($*)) dnl
')
########################################
##
## Read generated exim configuration
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_read_lib'($*)) dnl
gen_require(`
type exim_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_read_lib'($*)) dnl
')
########################################
##
## Manage generated exim configuration
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_lib'($*)) dnl
gen_require(`
type exim_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, exim_lib_t, exim_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_lib'($*)) dnl
')
########################################
##
## Grants readonly access to Exim logs
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_read_logs'($*)) dnl
gen_require(`
type exim_log_t;
')
files_search_var($1)
read_files_pattern($1, exim_log_t, exim_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_read_logs'($*)) dnl
')
########################################
##
## Manage exim logs
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_logs'($*)) dnl
gen_require(`
type exim_log_t;
')
files_search_var($1)
manage_files_pattern($1, exim_log_t, exim_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_logs'($*)) dnl
')
########################################
##
## Read contents of exim spool
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_read_spool'($*)) dnl
gen_require(`
type exim_spool_t;
')
files_search_spool($1)
list_dirs_pattern($1, exim_spool_t, exim_spool_t)
read_files_pattern($1, exim_spool_t, exim_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_read_spool'($*)) dnl
')
########################################
##
## Modify/delete contents of exim mail spool
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_spool'($*)) dnl
gen_require(`
type exim_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
manage_files_pattern($1, exim_spool_t, exim_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_spool'($*)) dnl
')
########################################
##
## Create an exim mail spool (implies creating dirs in var_spool_t).
##
##
##
## Domain allowed access.
##
##
#
define(`exim_create_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `exim_create_spool'($*)) dnl
gen_require(`
type var_spool_t;
type exim_spool_t;
')
create_dirs_pattern($1, var_spool_t, exim_spool_t)
filetrans_pattern($1, var_spool_t, exim_spool_t, dir)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `exim_create_spool'($*)) dnl
')
## Update firewall filtering to ban IP addresses with too many password failures.
########################################
##
## Execute a domain transition to run fail2ban.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fail2ban_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans'($*)) dnl
gen_require(`
type fail2ban_t, fail2ban_exec_t;
')
domtrans_pattern($1,fail2ban_exec_t,fail2ban_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to read fail2ban's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fail2ban_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_read_log'($*)) dnl
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file { read getattr lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## fail2ban log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fail2ban_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_append_log'($*)) dnl
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_append_log'($*)) dnl
')
########################################
##
## Read fail2ban PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_read_pid_files'($*)) dnl
gen_require(`
type fail2ban_var_run_t;
')
files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_read_pid_files'($*)) dnl
')
## Remote-mail retrieval and forwarding utility
## Finger user information service.
########################################
##
## Execute fingerd in the fingerd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`finger_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `finger_domtrans'($*)) dnl
gen_require(`
type fingerd_t, fingerd_exec_t;
')
domain_auto_trans($1,fingerd_exec_t,fingerd_t)
allow $1 fingerd_t:fd use;
allow fingerd_t $1:fd use;
allow fingerd_t $1:fifo_file rw_file_perms;
allow fingerd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `finger_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`finger_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `finger_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `finger_tcp_connect'($*)) dnl
')
## File transfer protocol service
#######################################
##
## The per role template for the ftp module.
##
##
##
## This template allows ftpd to manage files in
## a user home directory, creating files with the
## correct type.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`ftp_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_per_role_template'($*)) dnl
tunable_policy(`ftpd_is_daemon',`
userdom_manage_user_home_content_files($1,ftpd_t)
userdom_manage_user_home_content_symlinks($1,ftpd_t)
userdom_manage_user_home_content_sockets($1,ftpd_t)
userdom_manage_user_home_content_pipes($1,ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_per_role_template'($*)) dnl
')
########################################
##
## Use ftp by connecting over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_tcp_connect'($*)) dnl
')
########################################
##
## Read ftpd etc files
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_read_config'($*)) dnl
gen_require(`
type ftpd_etc_t;
')
files_search_etc($1)
allow $1 ftpd_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_read_config'($*)) dnl
')
########################################
##
## Execute FTP daemon entry point programs.
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_check_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_check_exec'($*)) dnl
gen_require(`
type ftpd_exec_t;
')
corecmd_search_sbin($1)
allow $1 ftpd_exec_t:file x_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_check_exec'($*)) dnl
')
########################################
##
## Read FTP transfer logs
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_read_log'($*)) dnl
gen_require(`
type xferlog_t;
')
logging_search_logs($1)
allow $1 xferlog_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_read_log'($*)) dnl
')
########################################
##
## Execute the ftpdctl program in the ftpdctl domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_domtrans_ftpdctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ftp_domtrans_ftpdctl'($*)) dnl
gen_require(`
type ftpdctl_t, ftpdctl_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
allow ftpdctl_t $1:fd use;
allow ftpdctl_t $1:fifo_file rw_file_perms;
allow ftpdctl_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ftp_domtrans_ftpdctl'($*)) dnl
')
## OpenH.323 Voice-Over-IP Gatekeeper
## General Purpose Mouse driver
########################################
##
## Connect to GPM over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpm_stream_connect'($*)) dnl
gen_require(`
type gpmctl_t, gpm_t;
')
allow $1 gpmctl_t:sock_file { getattr write };
allow $1 gpm_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpm_stream_connect'($*)) dnl
')
########################################
##
## Get the attributes of the GPM
## control channel named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_getattr_gpmctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpm_getattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpm_getattr_gpmctl'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the GPM control channel
## named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_dontaudit_getattr_gpmctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpm_dontaudit_getattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dontaudit $1 gpmctl_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpm_dontaudit_getattr_gpmctl'($*)) dnl
')
########################################
##
## Set the attributes of the GPM
## control channel named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_setattr_gpmctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `gpm_setattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `gpm_setattr_gpmctl'($*)) dnl
')
## Hardware abstraction layer
########################################
##
## Execute hal in the hal domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_domtrans'($*)) dnl
gen_require(`
type hald_t, hald_exec_t;
')
domtrans_pattern($1,hald_exec_t,hald_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_domtrans'($*)) dnl
')
########################################
##
## Do not audit attempts to use file descriptors from hal.
##
##
##
## Domain to not audit.
##
##
#
define(`hal_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dontaudit_use_fds'($*)) dnl
gen_require(`
type hald_t;
')
dontaudit $1 hald_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write to
## hald unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`hal_dontaudit_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type hald_t;
')
dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Send to hal over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_dgram_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dgram_send'($*)) dnl
gen_require(`
type hald_t;
')
allow $1 hald_t:unix_dgram_socket sendto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dgram_send'($*)) dnl
')
########################################
##
## Send to hal over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_stream_connect'($*)) dnl
gen_require(`
type hald_t;
')
allow $1 hald_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_stream_connect'($*)) dnl
')
########################################
##
## Send a dbus message to hal.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_dbus_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dbus_send'($*)) dnl
gen_require(`
type hald_t;
class dbus send_msg;
')
allow $1 hald_t:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dbus_send'($*)) dnl
')
########################################
##
## Send and receive messages from
## hal over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dbus_chat'($*)) dnl
gen_require(`
type hald_t;
class dbus send_msg;
')
allow $1 hald_t:dbus send_msg;
allow hald_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dbus_chat'($*)) dnl
')
########################################
##
## Read hald tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_read_tmp_files'($*)) dnl
gen_require(`
type hald_tmp_t;
')
allow $1 hald_tmp_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_read_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## HAL libraries files
##
##
##
## Domain allowed access.
##
##
#
define(`hal_dontaudit_append_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dontaudit_append_lib_files'($*)) dnl
gen_require(`
type hald_var_lib_t;
')
dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dontaudit_append_lib_files'($*)) dnl
')
########################################
##
## Read hald PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_read_pid_files'($*)) dnl
gen_require(`
type hald_var_run_t;
')
files_search_pids($1)
allow $1 hald_var_run_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_read_pid_files'($*)) dnl
')
########################################
##
## Read/Write hald PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`hal_rw_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_rw_pid_files'($*)) dnl
gen_require(`
type hald_var_run_t;
')
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_rw_pid_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write the hal
## log files.
##
##
##
## Domain to not audit
##
##
#
define(`hal_dontaudit_write_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_dontaudit_write_log'($*)) dnl
gen_require(`
type hald_log_t;
')
dontaudit $1 hald_log_t:file { append write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_dontaudit_write_log'($*)) dnl
')
########################################
##
## Allow attempts to write the hal
## log files.
##
##
##
## Domain to not audit
##
##
#
define(`hal_write_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_write_log'($*)) dnl
gen_require(`
type hald_log_t;
')
logging_search_logs($1)
allow $1 hald_log_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_write_log'($*)) dnl
')
########################################
##
## Allow domain to use file descriptors from hal.
##
##
##
## Domain to not audit.
##
##
#
define(`hal_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_use_fds'($*)) dnl
gen_require(`
type hald_t;
')
allow $1 hald_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_use_fds'($*)) dnl
')
########################################
##
## Allow attempts to read and write to
## hald unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`hal_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_rw_pipes'($*)) dnl
gen_require(`
type hald_t;
')
allow $1 hald_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_rw_pipes'($*)) dnl
')
########################################
##
## Allow ptrace of hal domain
##
##
##
## Domain allowed access.
##
##
#
define(`hal_ptrace',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hal_ptrace'($*)) dnl
gen_require(`
type hald_t;
')
allow $1 hald_t:process ptrace;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hal_ptrace'($*)) dnl
')
## Port of Apple Rendezvous multicast DNS
########################################
##
## Send generic signals to howl.
##
##
##
## Domain allowed access.
##
##
#
define(`howl_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `howl_signal'($*)) dnl
gen_require(`
type howl_t;
')
allow $1 howl_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `howl_signal'($*)) dnl
')
## IIIMF htt server
########################################
##
## Use i18n_input over a TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`i18n_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `i18n_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `i18n_use'($*)) dnl
')
## iMaze game server
## Internet services daemon.
########################################
##
## Define the specified domain as a inetd service.
##
##
##
## Define the specified domain as a inetd service. The
## inetd_service_domain(), inetd_tcp_service_domain(),
## or inetd_udp_service_domain() interfaces should be used
## instead of this interface, as this interface only provides
## the common rules to these three interfaces.
##
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_core_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_core_service_domain'($*)) dnl
gen_require(`
type inetd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
# can_exec(inetd_t,$2)
# cjp: this must be wrong
gen_require(`
type initrc_t, unconfined_t;
')
can_exec({ unconfined_t initrc_t },$2)
} else {
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
}
',`
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_core_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a TCP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_tcp_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_tcp_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_tcp_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a UDP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_udp_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_udp_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:udp_socket rw_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_udp_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a TCP and UDP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
optional_policy(`
stunnel_service_domain($1,$2)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_service_domain'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from inetd.
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_use_fds'($*)) dnl
gen_require(`
type inetd_t;
')
allow $1 inetd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_use_fds'($*)) dnl
')
########################################
##
## Connect to the inetd service using a TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_tcp_connect'($*)) dnl
')
########################################
##
## Run inetd child process in the inet child domain
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_domtrans_child',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_domtrans_child'($*)) dnl
gen_require(`
type inetd_child_t, inetd_child_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
allow $1 inetd_child_t:fd use;
allow inetd_child_t $1:fd use;
allow inetd_child_t $1:fifo_file rw_file_perms;
allow inetd_child_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_domtrans_child'($*)) dnl
')
########################################
##
## Send UDP network traffic to inetd. (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`inetd_udp_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_udp_send'($*)) dnl
')
########################################
##
## Read and write inetd TCP sockets.
##
##
##
## The type of the process performing this action.
##
##
#
define(`inetd_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inetd_rw_tcp_sockets'($*)) dnl
gen_require(`
type inetd_t;
')
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inetd_rw_tcp_sockets'($*)) dnl
')
## Internet News NNTP server
########################################
##
## Allow the specified domain to execute innd
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_exec'($*)) dnl
gen_require(`
type innd_t;
')
can_exec($1,innd_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_exec'($*)) dnl
')
########################################
##
## Allow the specified domain to execute
## inn configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_exec_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_exec_config'($*)) dnl
gen_require(`
type innd_etc_t;
')
can_exec($1,innd_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_exec_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete the innd log.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_manage_log'($*)) dnl
gen_require(`
type innd_log_t;
')
logging_rw_generic_log_dirs($1)
manage_files_pattern($1, innd_log_t,innd_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_manage_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete the innd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_manage_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_manage_pid'($*)) dnl
gen_require(`
type innd_var_run_t;
')
files_search_pids($1)
allow $1 innd_var_run_t:dir rw_dir_perms;
allow $1 innd_var_run_t:file create_file_perms;
allow $1 innd_var_run_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_manage_pid'($*)) dnl
')
########################################
##
## Read innd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_read_config'($*)) dnl
gen_require(`
type innd_etc_t;
')
allow $1 innd_etc_t:dir { getattr read search };
allow $1 innd_etc_t:file { read getattr };
allow $1 innd_etc_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_read_config'($*)) dnl
')
########################################
##
## Read innd news library files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_news_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_read_news_lib'($*)) dnl
gen_require(`
type innd_var_lib_t;
')
allow $1 innd_var_lib_t:dir { getattr read search };
allow $1 innd_var_lib_t:file { read getattr };
allow $1 innd_var_lib_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_read_news_lib'($*)) dnl
')
########################################
##
## Read innd news library files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_news_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_read_news_spool'($*)) dnl
gen_require(`
type news_spool_t;
')
allow $1 news_spool_t:dir { getattr read search };
allow $1 news_spool_t:file { read getattr };
allow $1 news_spool_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_read_news_spool'($*)) dnl
')
########################################
##
## Send to a innd unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_dgram_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_dgram_send'($*)) dnl
gen_require(`
type innd_t;
')
allow $1 innd_t:unix_dgram_socket sendto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_dgram_send'($*)) dnl
')
########################################
##
## Execute inn in the inn domain.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `inn_domtrans'($*)) dnl
gen_require(`
type innd_t, innd_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,innd_exec_t,innd_t)
allow innd_t $1:fd use;
allow innd_t $1:fifo_file rw_file_perms;
allow innd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `inn_domtrans'($*)) dnl
')
## IRC server
## IRQ balancing daemon
## Jabber instant messaging server
########################################
##
## Connect to jabber over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`jabber_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `jabber_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `jabber_tcp_connect'($*)) dnl
')
## MIT Kerberos admin and KDC
##
##
## This policy supports:
##
##
## Servers:
##
##
##
## Clients:
##
## - kinit
## - kdestroy
## - klist
## - ksu (incomplete)
##
##
##
########################################
##
## Execute a domain transition to run kpropd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kerberos_domtrans_kpropd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_domtrans_kpropd'($*)) dnl
gen_require(`
type kpropd_t;
type kpropd_exec_t;
')
domtrans_pattern($1,kpropd_exec_t,kpropd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_domtrans_kpropd'($*)) dnl
')
########################################
##
## Use kerberos services
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_use'($*)) dnl
gen_require(`
type krb5_conf_t;
type krb5kdc_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file { getattr read };
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
#kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
selinux_dontaudit_validate_context($1)
seutil_dontaudit_read_file_contexts($1)
tunable_policy(`allow_kerberos',`
fs_rw_tmpfs_files($1)
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_tcp_connect_kerberos_port($1)
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
')
optional_policy(`
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_use'($*)) dnl
')
########################################
##
## Read the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_config'($*)) dnl
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_config'($*)) dnl
')
########################################
##
## Do not audit attempts to write the kerberos
## configuration file (/etc/krb5.conf).
##
##
##
## Domain to not audit.
##
##
#
define(`kerberos_dontaudit_write_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_dontaudit_write_config'($*)) dnl
gen_require(`
type krb5_conf_t;
')
dontaudit $1 krb5_conf_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_dontaudit_write_config'($*)) dnl
')
########################################
##
## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_rw_config'($*)) dnl
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_rw_config'($*)) dnl
')
########################################
##
## Read the kerberos key table.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_keytab',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_keytab'($*)) dnl
gen_require(`
type krb5_keytab_t;
')
files_search_etc($1)
allow $1 krb5_keytab_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_keytab'($*)) dnl
')
########################################
##
## Create a derived type for kerberos keytab
##
##
##
## The prefix to be used for deriving type names.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_keytab_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_keytab_template'($*)) dnl
type $1_keytab_t;
files_type($1_keytab_t)
allow $2 $1_keytab_t:file read_file_perms;
kerberos_read_keytab($2)
kerberos_use($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_keytab_template'($*)) dnl
')
########################################
##
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_kdc_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_kdc_config'($*)) dnl
gen_require(`
type krb5kdc_conf_t;
')
files_search_etc($1)
read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_kdc_config'($*)) dnl
')
########################################
##
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_manage_host_rcache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_manage_host_rcache'($*)) dnl
gen_require(`
type krb5_host_rcache_t;
')
tunable_policy(`allow_kerberos',`
files_search_tmp($1)
allow $1 self:process setfscreate;
selinux_validate_context($1)
seutil_read_file_contexts($1)
allow $1 krb5_host_rcache_t:file manage_file_perms;
')
# creates files as system_u no matter what the selinux user
domain_obj_id_change_exemption($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_manage_host_rcache'($*)) dnl
')
########################################
##
## Connect to krb524 service
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_524_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_524_connect'($*)) dnl
tunable_policy(`allow_kerberos',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_udp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_kerberos_master_port($1)
corenet_udp_bind_all_nodes($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_524_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an kerberos environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the kerberos domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`kerberos_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `kerberos_admin'($*)) dnl
gen_require(`
type kadmind_t, krb5kdc_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
type krb5kdc_principal_t, krb5kdc_tmp_t;
type krb5kdc_var_run_t, krb5_host_rcache_t;
type kadmind_spool_t, kadmind_var_lib_t;
type kpropd_t;
')
allow $1 kadmind_t:process { ptrace signal_perms };
ps_process_pattern($1, kadmind_t)
allow $1 krb5kdc_t:process { ptrace signal_perms };
ps_process_pattern($1, krb5kdc_t)
allow $1 kpropd_t:process { ptrace signal_perms };
ps_process_pattern($1, kpropd_t)
files_list_tmp($1)
manage_all_pattern($1,kadmind_tmp_t)
logging_list_logs($1)
manage_all_pattern($1,kadmind_log_t)
files_list_spool($1)
manage_all_pattern($1,kadmind_spool_t)
files_list_var_lib($1)
manage_all_pattern($1,kadmind_var_lib_t)
files_list_pids($1)
manage_all_pattern($1,kadmind_var_run_t)
manage_all_pattern($1,krb5_conf_t)
manage_all_pattern($1,krb5_keytab_t)
manage_all_pattern($1,krb5kdc_principal_t)
manage_all_pattern($1,krb5kdc_tmp_t)
manage_all_pattern($1,krb5kdc_var_run_t)
manage_all_pattern($1,krb5_host_rcache_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `kerberos_admin'($*)) dnl
')
## KDE Talk daemon
## OpenLDAP directory server
########################################
##
## Read the contents of the OpenLDAP
## database directories.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_list_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ldap_list_db'($*)) dnl
gen_require(`
type slapd_db_t;
')
allow $1 slapd_db_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ldap_list_db'($*)) dnl
')
########################################
##
## Read the OpenLDAP configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ldap_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ldap_read_config'($*)) dnl
gen_require(`
type slapd_etc_t;
')
files_search_etc($1)
allow $1 slapd_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ldap_read_config'($*)) dnl
')
########################################
##
## Use LDAP over TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ldap_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ldap_use'($*)) dnl
')
########################################
##
## Connect to slapd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ldap_stream_connect'($*)) dnl
gen_require(`
type slapd_t, slapd_var_run_t;
')
files_search_pids($1)
allow $1 slapd_var_run_t:sock_file write;
allow $1 slapd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ldap_stream_connect'($*)) dnl
')
## Line printer daemon
#######################################
##
## The per role template for the lpd module.
##
##
##
## This template creates a derived domains which are used
## for lpr printing client.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`lpd_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_per_role_template'($*)) dnl
gen_require(`
type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
')
##############################
#
# Declarations
#
# Derived domain based on the calling user domain and the program
type $1_lpr_t;
domain_type($1_lpr_t)
domain_entry_file($1_lpr_t,lpr_exec_t)
role $3 types $1_lpr_t;
type $1_lpr_tmp_t;
files_tmp_file($1_lpr_tmp_t)
# Type for spool files.
type $1_print_spool_t;
files_type($1_print_spool_t)
##############################
#
# Local policy
#
allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
allow $1_lpr_t self:tcp_socket create_socket_perms;
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
can_exec($1_lpr_t,lpr_exec_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
allow $1_lpr_t lpd_var_run_t:dir search;
allow $1_lpr_t lpd_var_run_t:sock_file write;
files_read_var_files($1_lpr_t)
# Connect to lpd via a Unix domain socket.
allow $1_lpr_t printer_t:sock_file rw_file_perms;
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
# Send SIGHUP to lpd.
allow $1_lpr_t lpd_t:process signal;
allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
allow $1_lpr_t $1_print_spool_t:file create_file_perms;
allow $1_lpr_t print_spool_t:dir rw_dir_perms;
type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
allow $1_lpr_t printconf_t:dir r_dir_perms;
allow $1_lpr_t printconf_t:file r_file_perms;
allow $1_lpr_t printconf_t:lnk_file { getattr read };
')
dev_rw_printer($1_lpr_t)
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
allow $2 $1_lpr_t:fd use;
allow $1_lpr_t $2:fd use;
allow $1_lpr_t $2:fifo_file rw_file_perms;
allow $1_lpr_t $2:process sigchld;
domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
allow $2 $1_lpr_t:process signull;
# Allow lpd to read, rename, and unlink spool files.
allow lpd_t $1_print_spool_t:file r_file_perms;
allow lpd_t $1_print_spool_t:file link_file_perms;
kernel_read_kernel_sysctls($1_lpr_t)
corenet_non_ipsec_sendrecv($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
corenet_udp_sendrecv_all_nodes($1_lpr_t)
corenet_tcp_sendrecv_all_ports($1_lpr_t)
corenet_udp_sendrecv_all_ports($1_lpr_t)
corenet_tcp_connect_all_ports($1_lpr_t)
corenet_sendrecv_all_client_packets($1_lpr_t)
dev_read_rand($1_lpr_t)
dev_read_urand($1_lpr_t)
domain_use_interactive_fds($1_lpr_t)
files_search_spool($1_lpr_t)
# for lpd config files (should have a new type)
files_read_etc_files($1_lpr_t)
# for test print
files_read_usr_files($1_lpr_t)
#Added to cover read_content macro
files_list_home($1_lpr_t)
files_read_generic_tmp_files($1_lpr_t)
fs_getattr_xattr_fs($1_lpr_t)
# Access the terminal.
term_use_controlling_term($1_lpr_t)
term_use_generic_ptys($1_lpr_t)
libs_use_ld_so($1_lpr_t)
libs_use_shared_libs($1_lpr_t)
miscfiles_read_localization($1_lpr_t)
sysnet_read_config($1_lpr_t)
userdom_read_user_tmp_symlinks($1,$1_lpr_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_lpr_t)
userdom_read_user_home_content_files($1,$1_lpr_t)
userdom_read_user_tmp_files($1,$1_lpr_t)
tunable_policy(`read_default_t',`
files_list_default($1_lpr_t)
files_read_default_symlinks($1_lpr_t)
files_read_default_files($1_lpr_t)
')
tunable_policy(`read_untrusted_content',`
#list and read user specific untrusted content
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
#list and read user specific temporary untrusted content
files_list_tmp($1_lpr_t)
userdom_read_user_tmp_untrusted_content_files($1,$1_lpr_t)
')
tunable_policy(`use_nfs_home_dirs',`
files_list_home($1_lpr_t)
fs_list_auto_mountpoints($1_lpr_t)
fs_read_nfs_files($1_lpr_t)
fs_read_nfs_symlinks($1_lpr_t)
')
tunable_policy(`use_samba_home_dirs',`
files_list_home($1_lpr_t)
fs_list_auto_mountpoints($1_lpr_t)
fs_read_cifs_files($1_lpr_t)
fs_read_cifs_symlinks($1_lpr_t)
')
optional_policy(`
cups_read_config($1_lpr_t)
cups_read_config($2)
cups_stream_connect($1_lpr_t)
cups_read_pid_files($1_lpr_t)
')
optional_policy(`
logging_send_syslog_msg($1_lpr_t)
')
optional_policy(`
nscd_socket_use($1_lpr_t)
')
optional_policy(`
nis_use_ypbind($1_lpr_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_per_role_template'($*)) dnl
')
#######################################
##
## The administrative functions template for the lpd module.
##
##
##
## This template creates rules for administrating the ldp service,
## allowing the specified user to manage lpr files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`lpr_admin_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpr_admin_template'($*)) dnl
gen_require(`
type $1_lpr_t;
type print_spool_t;
')
userdom_read_all_users_home_content_files($1_lpr_t)
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
mls_file_read_up($1_lpr_t)
# Allow per user lpr domain read acces for specific user.
tunable_policy(`read_untrusted_content',`
userdom_read_all_untrusted_content($1_lpr_t)
userdom_read_all_tmp_untrusted_content($1_lpr_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpr_admin_template'($*)) dnl
')
########################################
##
## Execute lpd in the lpd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_domtrans_checkpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_domtrans_checkpc'($*)) dnl
gen_require(`
type checkpc_t, checkpc_exec_t;
')
domain_auto_trans($1,checkpc_exec_t,checkpc_t)
allow $1 checkpc_t:fd use;
allow checkpc_t $1:fd use;
allow checkpc_t $1:fifo_file rw_file_perms;
allow checkpc_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_domtrans_checkpc'($*)) dnl
')
########################################
##
## Execute amrecover in the lpd domain, and
## allow the specified role the lpd domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the lpd domain.
##
##
##
##
## The type of the terminal allow the lpd domain to use.
##
##
##
#
define(`lpd_run_checkpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_run_checkpc'($*)) dnl
gen_require(`
type checkpc_t;
')
lpd_domtrans_checkpc($1)
role $2 types checkpc_t;
allow checkpc_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_run_checkpc'($*)) dnl
')
########################################
##
## List the contents of the printer spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_list_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_list_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
allow $1 print_spool_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_list_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete printer spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_manage_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1,print_spool_t,print_spool_t)
manage_files_pattern($1,print_spool_t,print_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_manage_spool'($*)) dnl
')
########################################
##
## Relabel from and to the spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_relabel_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_relabel_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
allow $1 print_spool_t:file { relabelto relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_relabel_spool'($*)) dnl
')
########################################
##
## List the contents of the printer spool directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lpd_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_read_config'($*)) dnl
gen_require(`
type printconf_t;
')
allow $1 printconf_t:dir list_dir_perms;
allow $1 printconf_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_read_config'($*)) dnl
')
########################################
##
## Transition to a user lpr domain.
##
##
##
## Transition to a user lpr domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_domtrans_user_lpr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_domtrans_user_lpr'($*)) dnl
gen_require(`
type $1_lpr_t, lpr_exec_t;
')
domain_auto_trans($2, lpr_exec_t, $1_lpr_t)
allow $2 $1_lpr_t:fd use;
allow $1_lpr_t $2:fd use;
allow $1_lpr_t $2:fifo_file rw_file_perms;
allow $1_lpr_t $2:process sigchld;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_domtrans_user_lpr'($*)) dnl
')
########################################
##
## Allow the specified domain to execute lpr
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_exec_lpr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lpd_exec_lpr'($*)) dnl
gen_require(`
type lpr_exec_t;
')
can_exec($1,lpr_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lpd_exec_lpr'($*)) dnl
')
## Mailman is for managing electronic mail discussion and e-newsletter lists
#######################################
##
## The template to define a mailmain domain.
##
##
##
## This template creates a domain to be used for
## a new mailman daemon.
##
##
##
##
## The type of daemon to be used eg, cgi would give mailman_cgi_
##
##
#
define(`mailman_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_domain_template'($*)) dnl
type mailman_$1_t;
domain_type(mailman_$1_t)
role system_r types mailman_$1_t;
type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
type mailman_$1_tmp_t;
files_tmp_file(mailman_$1_tmp_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
files_search_spool(mailman_$1_t)
manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_dirs_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
manage_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
manage_lnk_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
manage_files_pattern(mailman_$1_t,mailman_lock_t,mailman_lock_t)
files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
allow mailman_$1_t mailman_log_t:file create_file_perms;
logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
kernel_read_kernel_sysctls(mailman_$1_t)
kernel_read_system_state(mailman_$1_t)
corenet_non_ipsec_sendrecv(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
corenet_raw_sendrecv_all_if(mailman_$1_t)
corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
corenet_udp_sendrecv_all_nodes(mailman_$1_t)
corenet_raw_sendrecv_all_nodes(mailman_$1_t)
corenet_tcp_sendrecv_all_ports(mailman_$1_t)
corenet_udp_sendrecv_all_ports(mailman_$1_t)
corenet_tcp_bind_all_nodes(mailman_$1_t)
corenet_udp_bind_all_nodes(mailman_$1_t)
corenet_tcp_connect_smtp_port(mailman_$1_t)
corenet_sendrecv_smtp_client_packets(mailman_$1_t)
fs_getattr_xattr_fs(mailman_$1_t)
corecmd_exec_all_executables(mailman_$1_t)
files_exec_etc_files(mailman_$1_t)
files_list_usr(mailman_$1_t)
files_list_var(mailman_$1_t)
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
files_read_etc_runtime_files(mailman_$1_t)
auth_use_nsswitch(mailman_$1_t)
libs_use_ld_so(mailman_$1_t)
libs_use_shared_libs(mailman_$1_t)
libs_exec_ld_so(mailman_$1_t)
libs_exec_lib_files(mailman_$1_t)
logging_send_syslog_msg(mailman_$1_t)
miscfiles_read_localization(mailman_$1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_domain_template'($*)) dnl
')
#######################################
##
## Execute mailman in the mailman domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans'($*)) dnl
gen_require(`
type mailman_mail_exec_t, mailman_mail_t;
')
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans'($*)) dnl
')
#######################################
##
## Execute mailman CGI scripts in the
## mailman CGI domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_domtrans_cgi',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans_cgi'($*)) dnl
gen_require(`
type mailman_cgi_exec_t, mailman_cgi_t;
')
domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
allow $1 mailman_cgi_t:fd use;
allow mailman_cgi_t $1:fd use;
allow mailman_cgi_t $1:fifo_file rw_file_perms;
allow mailman_cgi_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans_cgi'($*)) dnl
')
#######################################
##
## Execute mailman in the caller domain.
##
##
##
## Domain allowd access.
##
##
#
define(`mailman_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_exec'($*)) dnl
gen_require(`
type mailman_mail_exec_t;
')
can_exec($1,mailman_mail_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_exec'($*)) dnl
')
#######################################
##
## Send generic signals to the mailman cgi domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_signal_cgi',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_signal_cgi'($*)) dnl
gen_require(`
type mailman_cgi_t;
')
allow $1 mailman_cgi_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_signal_cgi'($*)) dnl
')
#######################################
##
## Allow domain to search data directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_search_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_search_data'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_search_data'($*)) dnl
')
#######################################
##
## Allow domain to to read mailman data files.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_data_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_data_files'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir search_dir_perms;
allow $1 mailman_data_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_data_files'($*)) dnl
')
#######################################
##
## Allow domain to to create mailman data files
## and write the directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_manage_data_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_manage_data_files'($*)) dnl
gen_require(`
type mailman_data_t;
')
manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
manage_files_pattern($1,mailman_data_t,mailman_data_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_manage_data_files'($*)) dnl
')
#######################################
##
## List the contents of mailman data directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_list_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_list_data'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_list_data'($*)) dnl
')
#######################################
##
## Allow read acces to mailman data symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_data_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_data_symlinks'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir search;
allow $1 mailman_data_t:lnk_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_data_symlinks'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_manage_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
allow $1 mailman_log_t:dir rw_dir_perms;
allow $1 mailman_log_t:file create_file_perms;
allow $1 mailman_log_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_manage_log'($*)) dnl
')
#######################################
##
## read
## mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
read_files_pattern($1,mailman_log_t,mailman_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_log'($*)) dnl
')
#######################################
##
## Append
## mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_append_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
allow $1 mailman_log_t:dir search_dir_perms;
allow $1 mailman_log_t:file ra_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_append_log'($*)) dnl
')
#######################################
##
## Allow domain to read mailman archive files.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_archive',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_archive'($*)) dnl
gen_require(`
type mailman_archive_t;
')
allow $1 mailman_archive_t:dir list_dir_perms;
allow $1 mailman_archive_t:file r_file_perms;
allow $1 mailman_archive_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_archive'($*)) dnl
')
#######################################
##
## Execute mailman_queue in the mailman_queue domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_domtrans_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans_queue'($*)) dnl
gen_require(`
type mailman_queue_exec_t, mailman_queue_t;
')
domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
allow $1 mailman_queue_t:fd use;
allow mailman_queue_t $1:fd use;
allow mailman_queue_t $1:fifo_file rw_file_perms;
allow mailman_queue_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans_queue'($*)) dnl
')
## Monopoly daemon
## Policy common to all email tranfer agents.
########################################
##
## MTA stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`mta_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_stub'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_stub'($*)) dnl
')
#######################################
##
## Basic mail transfer agent domain template.
##
##
##
## This template creates a derived domain which is
## a email transfer agent, which sends mail on
## behalf of the user.
##
##
## This is the basic types and rules, common
## to the system agent and user agents.
##
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`mta_base_mail_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_base_mail_template'($*)) dnl
##############################
#
# $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
domain_type($1_mail_t)
domain_entry_file($1_mail_t,sendmail_exec_t)
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
##############################
#
# $1_mail_t local policy
#
allow $1_mail_t self:capability { setuid setgid chown };
allow $1_mail_t self:process { signal_perms setrlimit };
allow $1_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
can_exec($1_mail_t, sendmail_exec_t)
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
kernel_read_kernel_sysctls($1_mail_t)
corenet_non_ipsec_sendrecv($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_connect_all_ports($1_mail_t)
corenet_tcp_connect_smtp_port($1_mail_t)
corenet_sendrecv_smtp_client_packets($1_mail_t)
corecmd_exec_bin($1_mail_t)
corecmd_search_sbin($1_mail_t)
files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t)
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
auth_use_nsswitch($1_mail_t)
libs_use_ld_so($1_mail_t)
libs_use_shared_libs($1_mail_t)
logging_send_syslog_msg($1_mail_t)
miscfiles_read_localization($1_mail_t)
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
optional_policy(`
procmail_exec($1_mail_t)
')
optional_policy(`
qmail_domtrans_inject($1_mail_t)
')
optional_policy(`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
allow $1_mail_t etc_mail_t:dir { getattr search };
# Write to /var/spool/mail and /var/spool/mqueue.
allow $1_mail_t mail_spool_t:dir rw_dir_perms;
allow $1_mail_t mail_spool_t:file create_file_perms;
allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
allow $1_mail_t mqueue_spool_t:file create_file_perms;
# Check available space.
fs_getattr_xattr_fs($1_mail_t)
files_read_etc_runtime_files($1_mail_t)
# Write to /var/log/sendmail.st
sendmail_manage_log($1_mail_t)
sendmail_create_log($1_mail_t)
')
optional_policy(`
exim_read_logs($1_mail_t)
exim_manage_spool($1_mail_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_base_mail_template'($*)) dnl
')
#######################################
##
## The per role template for the mta module.
##
##
##
## This template creates a derived domain which is
## a email transfer agent, which sends mail on
## behalf of the user.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`mta_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_per_role_template'($*)) dnl
##############################
#
# Declarations
#
mta_base_mail_template($1)
role $3 types $1_mail_t;
##############################
#
# $1_mail_t local policy
#
# Transition from the user domain to the derived domain.
domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
allow $2 sendmail_exec_t:lnk_file { getattr read };
allow $2 $1_mail_t:fd use;
allow $1_mail_t $2:fd use;
allow $1_mail_t $2:fifo_file rw_file_perms;
allow $1_mail_t $2:process sigchld;
domain_use_interactive_fds($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals($1,mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files($1,$1_mail_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
userdom_manage_user_home_content_dirs($1,mailserver_delivery)
userdom_manage_user_home_content_files($1,mailserver_delivery)
userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
userdom_manage_user_home_content_pipes($1,mailserver_delivery)
userdom_manage_user_home_content_sockets($1,mailserver_delivery)
userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
# Read user temporary files.
userdom_read_user_tmp_files($1,$1_mail_t)
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
# cjp: this should probably be read all user tmp
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files($1,mta_user_agent)
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_mail_t)
fs_manage_nfs_symlinks($1_mail_t)
')
optional_policy(`
allow $1_mail_t self:capability dac_override;
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files($1,$1_mail_t)
postfix_read_config($1_mail_t)
postfix_list_spool($1_mail_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_per_role_template'($*)) dnl
')
########################################
##
## Provide extra permissions for admin users
## mail domain.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
#
define(`mta_admin_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_admin_template'($*)) dnl
gen_require(`
type $1_mail_t;
')
ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever"
userdom_read_unpriv_users_home_content_files($1_mail_t)
')
optional_policy(`
gen_require(`
attribute mta_user_agent;
type etc_aliases_t;
')
allow mta_user_agent $2:fifo_file { read write };
allow $1_mail_t etc_aliases_t:dir create_dir_perms;
allow $1_mail_t etc_aliases_t:file create_file_perms;
allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
# postfix needs this for newaliases
files_getattr_tmp_dirs($1_mail_t)
postfix_exec_master($1_mail_t)
ifdef(`distro_redhat',`
# compatability for old default main.cf
postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_admin_template'($*)) dnl
')
########################################
##
## Make the specified domain usable for a mail server.
##
##
##
## Type to be used as a mail server domain.
##
##
#
define(`mta_mailserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver'($*)) dnl
gen_require(`
attribute mailserver_domain;
')
init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver'($*)) dnl
')
########################################
##
## Make the specified type usable for a mta_send_mail.
##
##
##
## Type to be used as a mail client.
##
##
#
define(`mta_mailclient',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailclient'($*)) dnl
gen_require(`
attribute mailclient_exec_type;
')
typeattribute $1 mailclient_exec_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailclient'($*)) dnl
')
########################################
##
## Make the specified type readable for a system_mail_t
##
##
##
## Type to be used as a mail client.
##
##
#
define(`mta_mailcontent',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailcontent'($*)) dnl
gen_require(`
attribute mailcontent_type;
')
typeattribute $1 mailcontent_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailcontent'($*)) dnl
')
########################################
##
## Modified mailserver interface for
## sendmail daemon use.
##
##
##
## A modified MTA mail server interface for
## the sendmail program. It's design does
## not fit well with policy, and using the
## regular interface causes a type_transition
## conflict if direct running of init scripts
## is enabled.
##
##
## This interface should most likely only be used
## by the sendmail policy.
##
##
##
##
## The type to be used for the mail server.
##
##
##
##
## The type to be used for the domain entry point program.
##
##
define(`mta_sendmail_mailserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_mailserver'($*)) dnl
gen_require(`
attribute mailserver_domain;
type sendmail_exec_t;
')
init_system_domain($1,sendmail_exec_t)
typeattribute $1 mailserver_domain;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_mailserver'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for sending mail.
##
##
##
## Mail server domain type used for sending mail.
##
##
#
define(`mta_mailserver_sender',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_sender'($*)) dnl
gen_require(`
attribute mailserver_sender;
')
typeattribute $1 mailserver_sender;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_sender'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for delivering mail to local users.
##
##
##
## Mail server domain type used for delivering mail.
##
##
#
define(`mta_mailserver_delivery',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_delivery'($*)) dnl
gen_require(`
attribute mailserver_delivery;
type mail_spool_t;
')
typeattribute $1 mailserver_delivery;
allow $1 mail_spool_t:dir ra_dir_perms;
allow $1 mail_spool_t:file { create ioctl read getattr lock append };
allow $1 mail_spool_t:lnk_file { create read getattr };
optional_policy(`
dovecot_manage_spool($1)
dovecot_domtrans_deliver($1)
')
optional_policy(`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib($1)
mailman_domtrans($1)
mailman_read_data_symlinks($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_delivery'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for sending mail on behalf of local
## users to the local mail spool.
##
##
##
## Mail server domain type used for sending local mail.
##
##
#
define(`mta_mailserver_user_agent',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_user_agent'($*)) dnl
gen_require(`
attribute mta_user_agent;
')
typeattribute $1 mta_user_agent;
optional_policy(`
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
apache_append_log($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_user_agent'($*)) dnl
')
########################################
##
## Send mail from the system.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_send_mail',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_send_mail'($*)) dnl
gen_require(`
attribute mta_user_agent;
type system_mail_t, sendmail_exec_t;
')
allow $1 sendmail_exec_t:lnk_file r_file_perms;
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
allow system_mail_t $1:fifo_file rw_file_perms;
allow system_mail_t $1:process sigchld;
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_send_mail'($*)) dnl
')
########################################
##
## Execute send mail in a specified domain.
##
##
##
## Execute send mail in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain to transition from.
##
##
##
##
## Domain to transition to.
##
##
#
define(`mta_sendmail_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_domtrans'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
files_search_usr($1)
corecmd_read_sbin_symlinks($1)
domain_auto_trans($1,sendmail_exec_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_domtrans'($*)) dnl
')
########################################
##
## Execute sendmail in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_sendmail_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_exec'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
can_exec($1, sendmail_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_exec'($*)) dnl
')
########################################
##
## Read mail server configuration.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_read_config'($*)) dnl
gen_require(`
type etc_mail_t;
')
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
allow $1 etc_mail_t:file r_file_perms;
allow $1 etc_mail_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_read_config'($*)) dnl
')
########################################
##
## Read mail address aliases.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_aliases',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_read_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_read_aliases'($*)) dnl
')
########################################
##
## Type transition files created in /etc
## to the mail address aliases type.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_etc_filetrans_aliases',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_etc_filetrans_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_etc_filetrans($1,etc_aliases_t, file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_etc_filetrans_aliases'($*)) dnl
')
########################################
##
## Read and write mail aliases.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_rw_aliases',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_aliases'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and write TCP
## sockets of mail delivery domains.
##
##
##
## Mail server domain.
##
##
#
define(`mta_dontaudit_rw_delivery_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl
gen_require(`
attribute mailserver_delivery;
')
dontaudit $1 mailserver_delivery:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl
')
#######################################
##
## Connect to all mail servers over TCP. (Deprecated)
##
##
##
## Mail server domain.
##
##
#
define(`mta_tcp_connect_all_mailservers',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_tcp_connect_all_mailservers'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_tcp_connect_all_mailservers'($*)) dnl
')
#######################################
##
## Do not audit attempts to read a symlink
## in the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_dontaudit_read_spool_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_read_spool_symlinks'($*)) dnl
gen_require(`
type mail_spool_t;
')
dontaudit $1 mail_spool_t:lnk_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_read_spool_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_getattr_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_getattr_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms;
allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_getattr_spool'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of mail spool files.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_getattr_spool_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_getattr_spool_files'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_getattr_spool_files'($*)) dnl
')
#######################################
##
## Create private objects in the
## mail spool directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`mta_spool_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
type_transition $1 mail_spool_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_spool_filetrans'($*)) dnl
')
########################################
##
## Read and write the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_rw_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms;
allow $1 mail_spool_t:lnk_file { getattr read };
allow $1 mail_spool_t:file { rw_file_perms setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_spool'($*)) dnl
')
#######################################
##
## Create, read, and write the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_append_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_append_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir ra_dir_perms;
allow $1 mail_spool_t:lnk_file { getattr read };
allow $1 mail_spool_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_append_spool'($*)) dnl
')
#######################################
##
## Delete from the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_delete_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_delete_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
allow $1 mail_spool_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_delete_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir manage_dir_perms;
allow $1 mail_spool_t:lnk_file create_lnk_perms;
allow $1 mail_spool_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_spool'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and
## write the mail queue.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_rw_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
dontaudit $1 mqueue_spool_t:file { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_queue'($*)) dnl
')
########################################
##
## read mail queue files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_read_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_read_queue'($*)) dnl
')
########################################
##
## search mail queue dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_search_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_search_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
allow $1 mqueue_spool_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_search_queue'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mail queue files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_queue'($*)) dnl
')
#######################################
##
## Read sendmail binary.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for postfix
define(`mta_read_sendmail_bin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_read_sendmail_bin'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
allow $1 sendmail_exec_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_read_sendmail_bin'($*)) dnl
')
#######################################
##
## Read and write unix domain stream sockets
## of user mail domains.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_rw_user_mail_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_user_mail_stream_sockets'($*)) dnl
gen_require(`
attribute user_mail_domain;
')
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_user_mail_stream_sockets'($*)) dnl
')
## Munin network-wide load graphing (formerly LRRD)
########################################
##
## Connect to munin over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `munin_stream_connect'($*)) dnl
gen_require(`
type munin_var_run_t, munin_t;
')
allow $1 munin_t:unix_stream_socket connectto;
allow $1 munin_var_run_t:sock_file { getattr write };
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `munin_stream_connect'($*)) dnl
')
#######################################
##
## Read munin configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`munin_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `munin_read_config'($*)) dnl
gen_require(`
type munin_etc_t;
')
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file { getattr read };
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `munin_read_config'($*)) dnl
')
#######################################
##
## Search munin library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `munin_search_lib'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
allow $1 munin_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `munin_search_lib'($*)) dnl
')
## Policy for MySQL
########################################
##
## Send a generic signal to MySQL.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_signal'($*)) dnl
gen_require(`
type mysqld_t;
')
allow $1 mysqld_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_signal'($*)) dnl
')
########################################
##
## Connect to MySQL using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_stream_connect'($*)) dnl
gen_require(`
type mysqld_t, mysqld_var_run_t;
type mysqld_db_t;
')
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_stream_connect'($*)) dnl
')
########################################
##
## Read MySQL configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_config'($*)) dnl
gen_require(`
type mysqld_etc_t;
')
allow $1 mysqld_etc_t:dir { getattr read search };
allow $1 mysqld_etc_t:file { read getattr };
allow $1 mysqld_etc_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_config'($*)) dnl
')
########################################
##
## Search the directories that contain MySQL
## database storage.
##
##
##
## Domain allowed access.
##
##
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
define(`mysql_search_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_search_db'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_search_db'($*)) dnl
')
########################################
##
## Read and write to the MySQL database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_rw_db_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_rw_db_dirs'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_rw_db_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete MySQL database directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_manage_db_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_manage_db_dirs'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_manage_db_dirs'($*)) dnl
')
########################################
##
## Read and write to the MySQL database
## named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_rw_db_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_rw_db_sockets'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
allow $1 mysqld_db_t:sock_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_rw_db_sockets'($*)) dnl
')
########################################
##
## Write to the MySQL log.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_write_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mysql_write_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mysql_write_log'($*)) dnl
')
## Net Saint / NAGIOS - network monitoring server
########################################
##
## Allow the specified domain to read
## nagios configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`nagios_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_config'($*)) dnl
gen_require(`
type nagios_etc_t;
')
allow $1 nagios_etc_t:dir list_dir_perms;
allow $1 nagios_etc_t:file r_file_perms;
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## nagios temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_tmp_files'($*)) dnl
gen_require(`
type nagios_tmp_t;
')
allow $1 nagios_tmp_t:file r_file_perms;
files_search_tmp($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_tmp_files'($*)) dnl
')
########################################
##
## Execute the nagios NRPE with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_domtrans_nrpe',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nagios_domtrans_nrpe'($*)) dnl
gen_require(`
type nrpe_t, nrpe_exec_t;
')
domain_auto_trans($1,nrpe_exec_t,nrpe_t)
allow nrpe_t $1:fd use;
allow nrpe_t $1:fifo_file rw_file_perms;
allow nrpe_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nagios_domtrans_nrpe'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## NAGIOS unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`nagios_dontaudit_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type nagios_t;
')
dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Search nagios spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nagios_search_spool'($*)) dnl
gen_require(`
type nagios_spool_t;
')
allow $1 nagios_spool_t:dir search_dir_perms;
files_search_spool($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nagios_search_spool'($*)) dnl
')
## Nessus network scanning daemon
########################################
##
## Connect to nessus over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nessus_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nessus_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nessus_tcp_connect'($*)) dnl
')
## Manager for dynamically switching between networks.
########################################
##
## Read and write NetworkManager UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_udp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_udp_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:udp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_udp_sockets'($*)) dnl
')
########################################
##
## Read and write NetworkManager packet sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_packet_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_packet_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:packet_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_packet_sockets'($*)) dnl
')
########################################
##
## Read and write NetworkManager netlink
## routing sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_routing_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_routing_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:netlink_route_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_routing_sockets'($*)) dnl
')
########################################
##
## Execute NetworkManager with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_domtrans'($*)) dnl
gen_require(`
type NetworkManager_t, NetworkManager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## NetworkManager over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_dbus_chat'($*)) dnl
gen_require(`
type NetworkManager_t;
class dbus send_msg;
')
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_dbus_chat'($*)) dnl
')
########################################
##
## Send a generic signal to NetworkManager
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_signal'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_signal'($*)) dnl
')
########################################
##
## Execute NetworkManager scripts with an automatic domain transition to initrc.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_script_domtrans'($*)) dnl
gen_require(`
type NetworkManager_initrc_exec_t;
')
init_script_domtrans_spec($1, NetworkManager_initrc_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_script_domtrans'($*)) dnl
')
########################################
##
## Read NetworkManager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_pid_files'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_pid_files'($*)) dnl
')
## Policy for NIS (YP) servers and clients
########################################
##
## Use the ypbind service to access NIS services
## unconditionally.
##
##
##
## Use the ypbind service to access NIS services
## unconditionally.
##
##
## This interface was added because of apache and
## spamassassin, to fix a nested conditionals problem.
## When that support is added, this should be removed,
## and the regular interface should be used.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`nis_use_ypbind_uncond',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_use_ypbind_uncond'($*)) dnl
gen_require(`
type var_yp_t;
')
allow $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir r_dir_perms;
allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file r_file_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
corenet_tcp_bind_reserved_port($1)
corenet_udp_bind_reserved_port($1)
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
corenet_tcp_connect_reserved_port($1)
corenet_tcp_connect_generic_port($1)
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
sysnet_read_config($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_use_ypbind_uncond'($*)) dnl
')
########################################
##
## Use the ypbind service to access NIS services.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`nis_use_ypbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_use_ypbind'($*)) dnl
gen_require(`
type var_yp_t;
')
tunable_policy(`allow_ypbind',`
nis_use_ypbind_uncond($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_use_ypbind'($*)) dnl
')
########################################
##
## Use the nis to authenticate passwords
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`nis_authenticate',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_authenticate'($*)) dnl
tunable_policy(`allow_ypbind',`
nis_use_ypbind_uncond($1)
# Needs to bind to a port < 1024
allow $1 self:capability net_bind_service;
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_authenticate'($*)) dnl
')
########################################
##
## Execute ypbind in the ypbind domain.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_domtrans_ypbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypbind'($*)) dnl
gen_require(`
type ypbind_t, ypbind_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,ypbind_exec_t,ypbind_t)
allow $1 ypbind_t:fd use;
allow ypbind_t $1:fd use;
allow ypbind_t $1:fifo_file rw_file_perms;
allow ypbind_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_domtrans_ypbind'($*)) dnl
')
########################################
##
## Send generic signals to ypbind.
##
##
##
## The type of the process performing this action.
##
##
#
define(`nis_signal_ypbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_signal_ypbind'($*)) dnl
gen_require(`
type ypbind_t;
')
allow $1 ypbind_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_signal_ypbind'($*)) dnl
')
########################################
##
## List the contents of the NIS data directory.
##
##
##
## The type of the process performing this action.
##
##
#
define(`nis_list_var_yp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_list_var_yp'($*)) dnl
gen_require(`
type var_yp_t;
')
files_search_var($1)
allow $1 var_yp_t:dir r_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_list_var_yp'($*)) dnl
')
########################################
##
## Send UDP network traffic to NIS clients. (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`nis_udp_send_ypbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_udp_send_ypbind'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_udp_send_ypbind'($*)) dnl
')
########################################
##
## Connect to ypbind over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nis_tcp_connect_ypbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_tcp_connect_ypbind'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_tcp_connect_ypbind'($*)) dnl
')
########################################
##
## Read ypbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_read_ypbind_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_read_ypbind_pid'($*)) dnl
gen_require(`
type ypbind_var_run_t;
')
files_search_pids($1)
allow $1 ypbind_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_read_ypbind_pid'($*)) dnl
')
########################################
##
## Delete ypbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_delete_ypbind_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_delete_ypbind_pid'($*)) dnl
gen_require(`
type ypbind_t;
')
# TODO: add delete pid from dir call to files
allow $1 ypbind_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_delete_ypbind_pid'($*)) dnl
')
########################################
##
## Read ypserv configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_read_ypserv_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_read_ypserv_config'($*)) dnl
gen_require(`
type ypserv_conf_t;
')
files_search_etc($1)
allow $1 ypserv_conf_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_read_ypserv_config'($*)) dnl
')
########################################
##
## Execute ypxfr in the ypxfr domain.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_domtrans_ypxfr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypxfr'($*)) dnl
gen_require(`
type ypxfr_t, ypxfr_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
allow ypxfr_t $1:fd use;
allow ypxfr_t $1:fifo_file rw_file_perms;
allow ypxfr_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nis_domtrans_ypxfr'($*)) dnl
')
## Name service cache daemon
########################################
##
## Send generic signals to NSCD.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_signal'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_signal'($*)) dnl
')
########################################
##
## Send signulls to NSCD.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_signull'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_signull'($*)) dnl
')
########################################
##
## Send sigkills to NSCD.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_sigkill'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_sigkill'($*)) dnl
')
########################################
##
## Execute NSCD in the nscd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`nscd_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_domtrans'($*)) dnl
gen_require(`
type nscd_t, nscd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,nscd_exec_t,nscd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to execute nscd
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_exec'($*)) dnl
gen_require(`
type nscd_exec_t;
')
can_exec($1,nscd_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_exec'($*)) dnl
')
########################################
##
## Use NSCD services by connecting using
## a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_socket_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_socket_use'($*)) dnl
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_socket_use'($*)) dnl
')
########################################
##
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_shm_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_shm_use'($*)) dnl
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
allow $1 nscd_var_run_t:dir list_dir_perms;
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
# Receive fd from nscd and map the backing file with read access.
allow $1 nscd_t:fd use;
# cjp: these were originally inherited from the
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_var_run_t:sock_file rw_file_perms;
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_var_run_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_shm_use'($*)) dnl
')
########################################
##
## Do not audit attempts to search the NSCD pid directory.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_dontaudit_search_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_search_pid'($*)) dnl
gen_require(`
type nscd_var_run_t;
')
dontaudit $1 nscd_var_run_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_dontaudit_search_pid'($*)) dnl
')
########################################
##
## Read NSCD pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_read_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_read_pid'($*)) dnl
gen_require(`
type nscd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1,nscd_var_run_t,nscd_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_read_pid'($*)) dnl
')
########################################
##
## Unconfined access to NSCD services.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_unconfined'($*)) dnl
gen_require(`
type nscd_t;
class nscd all_nscd_perms;
')
allow $1 nscd_t:nscd *;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_unconfined'($*)) dnl
')
########################################
##
## Execute nscd in the nscd domain, and
## allow the specified role the nscd domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the nscd domain.
##
##
##
##
## The type of the role's terminal.
##
##
#
define(`nscd_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_run'($*)) dnl
gen_require(`
type nscd_t;
')
nscd_domtrans($1)
role $2 types nscd_t;
dontaudit nscd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_run'($*)) dnl
')
########################################
##
## Execute nscd server in the ntpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`nscd_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_script_domtrans'($*)) dnl
gen_require(`
type nscd_script_exec_t;
')
init_script_domtrans_spec($1,nscd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an nscd environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the nscd domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`nscd_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nscd_admin'($*)) dnl
gen_require(`
type nscd_t;
type nscd_script_exec_t;
type nscd_log_t;
type nscd_var_run_t;
')
allow $1 nscd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, nscd_t, nscd_t)
# Allow nscd_t to restart the apache service
nscd_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 nscd_script_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
manage_all_pattern($1,nscd_log_t)
files_list_pids($1)
manage_all_pattern($1,nscd_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nscd_admin'($*)) dnl
')
## Authoritative only name server
########################################
##
## Send and receive datagrams from NSD. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nsd_udp_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nsd_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nsd_udp_chat'($*)) dnl
')
########################################
##
## Connect to NSD over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nsd_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nsd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nsd_tcp_connect'($*)) dnl
')
## Network Top
## Network time protocol daemon
########################################
##
## NTP stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`ntp_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ntp_stub'($*)) dnl
gen_require(`
type ntpd_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ntp_stub'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ntp_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ntp_domtrans'($*)) dnl
gen_require(`
type ntpd_t, ntpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,ntpd_exec_t,ntpd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ntp_domtrans'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ntp_domtrans_ntpdate',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ntp_domtrans_ntpdate'($*)) dnl
gen_require(`
type ntpd_t, ntpdate_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ntp_domtrans_ntpdate'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ntp_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ntp_script_domtrans'($*)) dnl
gen_require(`
type ntpd_script_exec_t;
')
init_script_domtrans_spec($1,ntpd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ntp_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ntp environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the ntp domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`ntp_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ntp_admin'($*)) dnl
gen_require(`
type ntp_t;
type ntp_script_exec_t;
type ntp_tmp_t;
type ntp_log_t;
type ntp_key_t;
type ntp_var_lib_t;
type ntp_var_run_t;
')
allow $1 ntp_t:process { ptrace signal_perms getattr };
read_files_pattern($1, ntp_t, ntp_t)
# Allow ntp_t to restart the apache service
ntp_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ntp_script_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
manage_all_pattern($1,ntp_tmp_t)
logging_list_logs($1)
manage_all_pattern($1,ntp_log_t)
manage_all_pattern($1,ntp_key_t)
files_list_pids($1)
manage_all_pattern($1,ntp_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ntp_admin'($*)) dnl
')
## NX remote desktop
########################################
##
## Transition to NX server.
##
##
##
## Domain allowed access.
##
##
#
define(`nx_spec_domtrans_server',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `nx_spec_domtrans_server'($*)) dnl
gen_require(`
type nx_server_t, nx_server_exec_t;
')
domain_trans($1,nx_server_exec_t,nx_server_t)
allow nx_server_t $1:fd use;
allow nx_server_t $1:fifo_file rw_file_perms;
allow nx_server_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `nx_spec_domtrans_server'($*)) dnl
')
## Open AntiVirus scannerdaemon and signature update
########################################
##
## Execute oav_update in the oav_update domain.
##
##
##
## Domain allowed access.
##
##
#
define(`oav_domtrans_update',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oav_domtrans_update'($*)) dnl
gen_require(`
type oav_update_t, oav_update_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,oav_update_exec_t,oav_update_t)
allow $1 oav_update_t:fd use;
allow oav_update_t $1:fd use;
allow oav_update_t $1:fifo_file rw_file_perms;
allow oav_update_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oav_domtrans_update'($*)) dnl
')
########################################
##
## Execute oav_update in the oav_update domain, and
## allow the specified role the oav_update domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the oav_update domain.
##
##
##
##
## The type of the terminal allow the oav_update domain to use.
##
##
##
#
define(`oav_run_update',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oav_run_update'($*)) dnl
gen_require(`
type oav_update_t;
')
oav_domtrans_update($1)
role $2 types oav_update_t;
allow oav_update_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oav_run_update'($*)) dnl
')
##
## Oddjob provides a mechanism by which unprivileged applications can
## request that specified privileged operations be performed on their
## behalf.
##
########################################
##
## Execute a domain transition to run oddjob.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oddjob_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oddjob_domtrans'($*)) dnl
gen_require(`
type oddjob_t, oddjob_exec_t;
')
domain_auto_trans($1,oddjob_exec_t,oddjob_t)
allow oddjob_t $1:fd use;
allow oddjob_t $1:fifo_file rw_file_perms;
allow oddjob_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oddjob_domtrans'($*)) dnl
')
########################################
##
## Make the specified program domain accessable
## from the oddjob.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
define(`oddjob_system_entry',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oddjob_system_entry'($*)) dnl
gen_require(`
type oddjob_t;
')
domain_auto_trans(oddjob_t, $2, $1)
allow $1 oddjob_t:fd use;
allow $1 oddjob_t:fifo_file rw_file_perms;
allow $1 oddjob_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oddjob_system_entry'($*)) dnl
')
########################################
##
## Send and receive messages from
## oddjob over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`oddjob_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oddjob_dbus_chat'($*)) dnl
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oddjob_dbus_chat'($*)) dnl
')
########################################
##
## Execute a domain transition to run oddjob_mkhomedir.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oddjob_domtrans_mkhomedir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `oddjob_domtrans_mkhomedir'($*)) dnl
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
allow oddjob_mkhomedir_t $1:fd use;
allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
allow oddjob_mkhomedir_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `oddjob_domtrans_mkhomedir'($*)) dnl
')
## OpenCA - Open Certificate Authority
########################################
##
## Execute the OpenCA program with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openca_domtrans'($*)) dnl
gen_require(`
type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
')
domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
allow $1 openca_usr_share_t:dir search_dir_perms;
files_search_usr($1)
allow openca_ca_t $1:fd use;
allow openca_ca_t $1:fifo_file rw_file_perms;
allow openca_ca_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openca_domtrans'($*)) dnl
')
########################################
##
## Send OpenCA generic signals.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openca_signal'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openca_signal'($*)) dnl
')
########################################
##
## Send OpenCA stop signals.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_sigstop',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openca_sigstop'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process sigstop;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openca_sigstop'($*)) dnl
')
########################################
##
## Kill OpenCA.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_kill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openca_kill'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openca_kill'($*)) dnl
')
## Service for handling smart card readers.
## full-featured SSL VPN solution
########################################
##
## Execute OPENVPN clients in the openvpn domain.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_domtrans'($*)) dnl
gen_require(`
type openvpn_t, openvpn_exec_t;
')
domtrans_pattern($1, openvpn_exec_t, openvpn_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_domtrans'($*)) dnl
')
########################################
##
## Execute OPENVPN clients in the openvpn domain, and
## allow the specified role the openvpn domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the openvpn domain.
##
##
##
##
## The type of the terminal allow the openvpn domain to use.
##
##
##
#
define(`openvpn_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_run'($*)) dnl
gen_require(`
type openvpn_t;
')
openvpn_domtrans($1)
role $2 types openvpn_t;
allow openvpn_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_run'($*)) dnl
')
########################################
##
## Send generic signals to OPENVPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_signal'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_signal'($*)) dnl
')
########################################
##
## Send sigkills to OPENVPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_sigkill'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_sigkill'($*)) dnl
')
########################################
##
## Send signulls to OPENVPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_signull'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_signull'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## OpenVPN configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`openvpn_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_read_config'($*)) dnl
gen_require(`
type openvpn_etc_t;
')
files_search_etc($1)
allow $1 openvpn_etc_t:dir list_dir_perms;
read_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_read_config'($*)) dnl
')
########################################
##
## Execute openvpn server in the openvpn domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`openvpn_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_script_domtrans'($*)) dnl
gen_require(`
type openvpn_script_exec_t;
')
init_script_domtrans_spec($1,openvpn_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an openvpn environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the openvpn domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`openvpn_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `openvpn_admin'($*)) dnl
gen_require(`
type openvpn_t;
type openvpn_script_exec_t;
type openvpn_etc_t;
type openvpn_var_log_t;
type openvpn_var_run_t;
')
allow $1 openvpn_t:process { ptrace signal_perms getattr };
read_files_pattern($1, openvpn_t, openvpn_t)
# Allow openvpn_t to restart the apache service
openvpn_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 openvpn_script_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
manage_all_pattern($1,openvpn_etc_t)
logging_list_logs($1)
manage_all_pattern($1,openvpn_var_log_t)
files_list_pids($1)
manage_all_pattern($1,openvpn_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `openvpn_admin'($*)) dnl
')
## policy for pcscd
########################################
##
## Execute a domain transition to run pcscd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcscd_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcscd_domtrans'($*)) dnl
gen_require(`
type pcscd_t, pcscd_exec_t;
')
domain_auto_trans($1,pcscd_exec_t,pcscd_t)
allow pcscd_t $1:fd use;
allow pcscd_t $1:fifo_file rw_file_perms;
allow pcscd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcscd_domtrans'($*)) dnl
')
########################################
##
## Read pcscd pub files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_read_pub_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcscd_read_pub_files'($*)) dnl
gen_require(`
type pcscd_var_run_t;
')
files_search_pids($1)
allow $1 pcscd_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcscd_read_pub_files'($*)) dnl
')
########################################
##
## Connect to pcscd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcscd_stream_connect'($*)) dnl
gen_require(`
type pcscd_t, pcscd_var_run_t;
')
files_search_pids($1)
allow $1 pcscd_var_run_t:sock_file write;
allow $1 pcscd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcscd_stream_connect'($*)) dnl
')
## The Open Group Pegasus CIM/WBEM Server.
########################################
##
## Execute a domain transition to run pegasus.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pegasus_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pegasus_domtrans'($*)) dnl
gen_require(`
type pegasus_t, pegasus_exec_t;
')
ifdef(`targeted_policy',`
if(pegasus_disable_trans) {
can_exec($1,pegasus_exec_t)
} else {
domain_auto_trans($1,pegasus_exec_t,pegasus_t)
}
', `
domain_auto_trans($1,pegasus_exec_t,pegasus_t)
')
allow $1 pegasus_t:fd use;
allow pegasus_t $1:fd use;
allow pegasus_t $1:fifo_file rw_file_perms;
allow pegasus_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pegasus_domtrans'($*)) dnl
')
## Perdition POP and IMAP proxy
########################################
##
## Connect to perdition over a TCP socket (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`perdition_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `perdition_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `perdition_tcp_connect'($*)) dnl
')
## policy for pki
########################################
##
## Execute pki_ca server in the pki_ca domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_ca_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ca_script_domtrans'($*)) dnl
gen_require(`
attribute pki_ca_script;
')
init_script_domtrans_spec($1,pki_ca_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ca_script_domtrans'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`pki_ca_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ca_template'($*)) dnl
gen_require(`
attribute pki_ca_process;
attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
type pki_ca_tomcat_exec_t;
type $1_port_t;
')
########################################
#
# Declarations
#
type $1_t, pki_ca_process;
type $1_exec_t, pki_ca_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
type $1_script_exec_t, pki_ca_script;
init_script_file($1_script_exec_t)
type $1_etc_rw_t, pki_ca_config;
files_type($1_etc_rw_t)
type $1_var_run_t, pki_ca_var_run;
files_pid_file($1_var_run_t)
type $1_var_lib_t, pki_ca_var_lib;
files_type($1_var_lib_t)
type $1_log_t, pki_ca_var_log;
logging_log_file($1_log_t)
########################################
#
# $1 local policy
#
# Execstack/execmem caused by java app.
allow $1_t self:process { execstack execmem getsched setsched };
## internal communication is often done using fifo and unix sockets.
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:process signull;
allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
corenet_all_recvfrom_unlabeled($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_tcp_bind_ocsp_port($1_t)
corenet_tcp_connect_ocsp_port($1_t)
# This is for /etc/$1/tomcat.conf:
can_exec($1_t, pki_ca_tomcat_exec_t)
# Init script handling
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t,$1_var_run_t, { file dir })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
corecmd_exec_bin($1_t)
corecmd_read_bin_symlinks($1_t)
corecmd_exec_shell($1_t)
dev_list_sysfs($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
# Java is looking in /tmp for some reason...:
files_manage_generic_tmp_dirs($1_t)
files_manage_generic_tmp_files($1_t)
files_read_usr_files($1_t)
files_read_usr_symlinks($1_t)
# These are used to read tomcat class files in /var/lib/tomcat
files_read_var_lib_files($1_t)
files_read_var_lib_symlinks($1_t)
kernel_read_network_state($1_t)
kernel_read_system_state($1_t)
kernel_search_network_state($1_t)
# audit2allow
kernel_signull_unlabeled($1_t)
auth_use_nsswitch($1_t)
init_dontaudit_write_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
miscfiles_read_localization($1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
term_dontaudit_use_generic_ptys($1_t)
')
#This is broken in selinux-policy we need java_exec defined, Will add to policy
gen_require(`
type java_exec_t;
')
can_exec($1_t, java_exec_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ca_template'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_ca environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_ca_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ca_admin'($*)) dnl
gen_require(`
type pki_ca_tomcat_exec_t;
attribute pki_ca_process;
attribute pki_ca_config;
attribute pki_ca_executable;
attribute pki_ca_var_lib;
attribute pki_ca_var_log;
attribute pki_ca_var_run;
attribute pki_ca_pidfiles;
attribute pki_ca_script;
')
allow $1 pki_ca_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_ca_t)
# Allow pki_ca_t to restart the service
pki_ca_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_ca_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_ca_config)
manage_all_pattern($1, pki_ca_var_run)
manage_all_pattern($1, pki_ca_var_lib)
manage_all_pattern($1, pki_ca_var_log)
manage_all_pattern($1, pki_ca_config)
manage_all_pattern($1, pki_ca_tomcat_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ca_admin'($*)) dnl
')
########################################
##
## Execute pki_kra server in the pki_kra domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_kra_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_kra_script_domtrans'($*)) dnl
gen_require(`
attribute pki_kra_script;
')
init_script_domtrans_spec($1,pki_kra_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_kra_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_kra environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_kra_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_kra_admin'($*)) dnl
gen_require(`
type pki_kra_tomcat_exec_t;
attribute pki_kra_process;
attribute pki_kra_config;
attribute pki_kra_executable;
attribute pki_kra_var_lib;
attribute pki_kra_var_log;
attribute pki_kra_var_run;
attribute pki_kra_pidfiles;
attribute pki_kra_script;
')
allow $1 pki_kra_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_kra_t)
# Allow pki_kra_t to restart the service
pki_kra_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_kra_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_kra_config)
manage_all_pattern($1, pki_kra_var_run)
manage_all_pattern($1, pki_kra_var_lib)
manage_all_pattern($1, pki_kra_var_log)
manage_all_pattern($1, pki_kra_config)
manage_all_pattern($1, pki_kra_tomcat_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_kra_admin'($*)) dnl
')
########################################
##
## Execute pki_ocsp server in the pki_ocsp domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_ocsp_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ocsp_script_domtrans'($*)) dnl
gen_require(`
attribute pki_ocsp_script;
')
init_script_domtrans_spec($1,pki_ocsp_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ocsp_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_ocsp environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_ocsp_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ocsp_admin'($*)) dnl
gen_require(`
type pki_ocsp_tomcat_exec_t;
attribute pki_ocsp_process;
attribute pki_ocsp_config;
attribute pki_ocsp_executable;
attribute pki_ocsp_var_lib;
attribute pki_ocsp_var_log;
attribute pki_ocsp_var_run;
attribute pki_ocsp_pidfiles;
attribute pki_ocsp_script;
')
allow $1 pki_ocsp_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_ocsp_t)
# Allow pki_ocsp_t to restart the service
pki_ocsp_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_ocsp_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_ocsp_config)
manage_all_pattern($1, pki_ocsp_var_run)
manage_all_pattern($1, pki_ocsp_var_lib)
manage_all_pattern($1, pki_ocsp_var_log)
manage_all_pattern($1, pki_ocsp_config)
manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ocsp_admin'($*)) dnl
')
########################################
##
## Execute pki_ra server in the pki_ra domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_ra_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ra_script_domtrans'($*)) dnl
gen_require(`
attribute pki_ra_script;
')
init_script_domtrans_spec($1,pki_ra_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ra_script_domtrans'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`pki_ra_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ra_template'($*)) dnl
gen_require(`
attribute pki_ra_process;
attribute pki_ra_config, pki_ra_var_lib;
attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
')
########################################
#
# Declarations
#
type $1_t, pki_ra_process;
type $1_exec_t, pki_ra_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
type $1_script_exec_t, pki_ra_script;
init_script_file($1_script_exec_t)
type $1_etc_rw_t, pki_ra_config;
files_type($1_etc_rw_t)
type $1_var_lib_t, pki_ra_var_lib;
files_type($1_var_lib_t)
type $1_log_t, pki_ra_var_log;
logging_log_file($1_log_t)
########################################
#
# $1 local policy
#
## internal communication is often done using fifo and unix sockets.
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
# Init script handling
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
init_dontaudit_write_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
miscfiles_read_localization($1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
term_dontaudit_use_generic_ptys($1_t)
')
gen_require(`
type httpd_t;
')
allow httpd_t pki_ra_etc_rw_t:file { read getattr };
allow httpd_t pki_ra_log_t:file read;
allow httpd_t pki_ra_var_lib_t:lnk_file read;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ra_template'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_ra environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_ra_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_ra_admin'($*)) dnl
gen_require(`
attribute pki_ra_process;
attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;
attribute pki_ra_var_log;
attribute pki_ra_script;
')
allow $1 pki_ra_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_ra_t)
# Allow pki_ra_t to restart the service
pki_ra_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_ra_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_ra_config)
manage_all_pattern($1, pki_ra_var_lib)
manage_all_pattern($1, pki_ra_var_log)
manage_all_pattern($1, pki_ra_config)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_ra_admin'($*)) dnl
')
########################################
##
## Execute pki_tks server in the pki_tks domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_tks_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_tks_script_domtrans'($*)) dnl
gen_require(`
attribute pki_tks_script;
')
init_script_domtrans_spec($1,pki_tks_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_tks_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_tks environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_tks_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_tks_admin'($*)) dnl
gen_require(`
type pki_tks_tomcat_exec_t;
attribute pki_tks_process;
attribute pki_tks_config;
attribute pki_tks_executable;
attribute pki_tks_var_lib;
attribute pki_tks_var_log;
attribute pki_tks_var_run;
attribute pki_tks_pidfiles;
attribute pki_tks_script;
')
allow $1 pki_tks_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_tks_t)
# Allow pki_tks_t to restart the service
pki_tks_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_tks_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_tks_config)
manage_all_pattern($1, pki_tks_var_run)
manage_all_pattern($1, pki_tks_var_lib)
manage_all_pattern($1, pki_tks_var_log)
manage_all_pattern($1, pki_tks_config)
manage_all_pattern($1, pki_tks_tomcat_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_tks_admin'($*)) dnl
')
########################################
##
## Execute pki_tps server in the pki_tps domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pki_tps_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_tps_script_domtrans'($*)) dnl
gen_require(`
attribute pki_tps_script;
')
init_script_domtrans_spec($1,pki_tps_script)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_tps_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pki_tps environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`pki_tps_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pki_tps_admin'($*)) dnl
gen_require(`
attribute pki_tps_process;
attribute pki_tps_config;
attribute pki_tps_executable;
attribute pki_tps_var_lib;
attribute pki_tps_var_log;
attribute pki_tps_script;
')
allow $1 pki_tps_process:process { ptrace signal_perms };
ps_process_pattern($1, pki_tps_t)
# Allow pki_tps_t to restart the service
pki_tps_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pki_tps_script system_r;
allow $2 system_r;
manage_all_pattern($1, pki_tps_config)
manage_all_pattern($1, pki_tps_var_lib)
manage_all_pattern($1, pki_tps_var_log)
manage_all_pattern($1, pki_tps_config)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pki_tps_admin'($*)) dnl
')
## RPC port mapping service.
########################################
##
## Execute portmap_helper in the helper domain.
##
##
##
## Domain allowed access.
##
##
#
define(`portmap_domtrans_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portmap_domtrans_helper'($*)) dnl
gen_require(`
type portmap_helper_t, portmap_helper_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
allow $1 portmap_helper_t:fd use;
allow portmap_helper_t $1:fd use;
allow portmap_helper_t $1:fifo_file rw_file_perms;
allow portmap_helper_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portmap_domtrans_helper'($*)) dnl
')
########################################
##
## Execute portmap helper in the helper domain, and
## allow the specified role the helper domain.
## Communicate with portmap.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the portmap domain.
##
##
##
##
## The type of the terminal allow the portmap domain to use.
##
##
##
#
define(`portmap_run_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portmap_run_helper'($*)) dnl
gen_require(`
type portmap_t, portmap_helper_t;
')
portmap_domtrans_helper($1)
role $2 types portmap_helper_t;
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portmap_run_helper'($*)) dnl
')
########################################
##
## Send UDP network traffic to portmap. (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`portmap_udp_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portmap_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portmap_udp_send'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic from portmap. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`portmap_udp_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portmap_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portmap_udp_chat'($*)) dnl
')
########################################
##
## Connect to portmap over a TCP socket (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`portmap_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portmap_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portmap_tcp_connect'($*)) dnl
')
## Portslave terminal server software
########################################
##
## Execute portslave with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portslave_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `portslave_domtrans'($*)) dnl
gen_require(`
type portslave_t, portslave_exec_t;
')
domain_auto_trans($1,portslave_exec_t,portslave_t)
allow $1 portslave_t:fd use;
allow portslave_t $1:fd use;
allow portslave_t $1:fifo_file rw_file_perms;
allow portslave_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `portslave_domtrans'($*)) dnl
')
## Postfix email server
########################################
##
## Postfix stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`postfix_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_stub'($*)) dnl
gen_require(`
type postfix_master_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_stub'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## postfix process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`postfix_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domain_template'($*)) dnl
type postfix_$1_t;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t,postfix_$1_exec_t)
role system_r types postfix_$1_t;
dontaudit postfix_$1_t self:capability sys_tty_config;
allow postfix_$1_t self:process { signal_perms setpgid };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_master_t postfix_$1_t:process signal;
allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
allow postfix_$1_t postfix_etc_t:file r_file_perms;
can_exec(postfix_$1_t, postfix_$1_exec_t)
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
allow postfix_$1_t postfix_master_t:process sigchld;
allow postfix_$1_t postfix_master_t:file read;
allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
kernel_read_system_state(postfix_$1_t)
kernel_read_network_state(postfix_$1_t)
kernel_read_all_sysctls(postfix_$1_t)
dev_read_sysfs(postfix_$1_t)
dev_read_rand(postfix_$1_t)
dev_read_urand(postfix_$1_t)
fs_search_auto_mountpoints(postfix_$1_t)
fs_getattr_xattr_fs(postfix_$1_t)
term_dontaudit_use_console(postfix_$1_t)
corecmd_list_bin(postfix_$1_t)
corecmd_list_sbin(postfix_$1_t)
corecmd_read_bin_symlinks(postfix_$1_t)
corecmd_read_sbin_symlinks(postfix_$1_t)
corecmd_exec_shell(postfix_$1_t)
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
init_use_fds(postfix_$1_t)
init_sigchld(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
libs_use_ld_so(postfix_$1_t)
libs_use_shared_libs(postfix_$1_t)
logging_send_syslog_msg(postfix_$1_t)
miscfiles_read_localization(postfix_$1_t)
miscfiles_read_certs(postfix_$1_t)
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(postfix_$1_t)
term_dontaudit_use_generic_ptys(postfix_$1_t)
files_dontaudit_read_root_files(postfix_$1_t)
')
optional_policy(`
nscd_socket_use(postfix_$1_t)
')
optional_policy(`
udev_read_db(postfix_$1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domain_template'($*)) dnl
')
########################################
##
## Creates a postfix server process domain.
##
##
##
## Prefix of the domain.
##
##
#
define(`postfix_server_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_server_domain_template'($*)) dnl
postfix_domain_template($1)
allow postfix_$1_t self:capability { setuid setgid dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
allow postfix_master_t postfix_$1_t:fd use;
allow postfix_$1_t postfix_master_t:fd use;
allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
allow postfix_$1_t postfix_master_t:process sigchld;
corenet_non_ipsec_sendrecv(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
corenet_udp_sendrecv_all_nodes(postfix_$1_t)
corenet_tcp_sendrecv_all_ports(postfix_$1_t)
corenet_udp_sendrecv_all_ports(postfix_$1_t)
corenet_tcp_bind_all_nodes(postfix_$1_t)
corenet_udp_bind_all_nodes(postfix_$1_t)
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_server_domain_template'($*)) dnl
')
########################################
##
## Creates a process domain for programs
## that are ran by users.
##
##
##
## Prefix of the domain.
##
##
#
define(`postfix_user_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_user_domain_template'($*)) dnl
gen_require(`
attribute postfix_user_domains, postfix_user_domtrans;
')
postfix_domain_template($1)
typeattribute postfix_$1_t postfix_user_domains;
allow postfix_$1_t self:capability dac_override;
domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
allow postfix_user_domtrans postfix_$1_t:fd use;
allow postfix_$1_t postfix_user_domtrans:fd use;
allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
allow postfix_$1_t postfix_user_domtrans:process sigchld;
domain_use_interactive_fds(postfix_$1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_user_domain_template'($*)) dnl
')
########################################
##
## The per role template for the postfix module.
##
##
##
## The prefix of the user domain.
## (e.g., user is the prefix of user_t)
##
##
##
##
## User domain type.
##
##
#
define(`postfix_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_per_role_template'($*)) dnl
gen_require(`
attribute postfix_user_domains;
type postfix_postdrop_t;
')
role $3 types postfix_postdrop_t;
allow postfix_user_domains $2:process sigchld;
allow postfix_user_domains $2:fifo_file { write getattr };
allow postfix_user_domains $2:fd use;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_per_role_template'($*)) dnl
')
########################################
##
## Read postfix configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`postfix_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_config'($*)) dnl
gen_require(`
type postfix_etc_t;
')
read_files_pattern($1, postfix_etc_t, postfix_etc_t)
read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_config'($*)) dnl
')
########################################
##
## Create files with the specified type in
## the postfix configuration directories.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`postfix_config_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_config_filetrans'($*)) dnl
gen_require(`
type postfix_etc_t;
')
files_search_etc($1)
allow $1 postfix_etc_t:dir rw_dir_perms;
type_transition $1 postfix_etc_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_config_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write postfix local delivery
## TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`postfix_dontaudit_rw_local_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl
gen_require(`
type postfix_local_t;
')
dontaudit $1 postfix_local_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## postfix master process file
## file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`postfix_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_use_fds'($*)) dnl
gen_require(`
type postfix_master_t;
')
dontaudit $1 postfix_master_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Execute postfix_map in the postfix_map domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_map',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_map'($*)) dnl
gen_require(`
type postfix_map_t, postfix_map_exec_t;
')
domain_auto_trans($1,postfix_map_exec_t,postfix_map_t)
allow $1 postfix_map_t:fd use;
allow postfix_map_t $1:fd use;
allow postfix_map_t $1:fifo_file rw_file_perms;
allow postfix_map_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_map'($*)) dnl
')
########################################
##
## Execute postfix_map in the postfix_map domain, and
## allow the specified role the postfix_map domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the postfix_map domain.
##
##
##
##
## The type of the terminal allow the postfix_map domain to use.
##
##
##
#
define(`postfix_run_map',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_run_map'($*)) dnl
gen_require(`
type postfix_map_t;
')
postfix_domtrans_map($1)
role $2 types postfix_map_t;
allow postfix_map_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_run_map'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## postfix_master domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_master',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_master'($*)) dnl
gen_require(`
type postfix_master_t, postfix_master_exec_t;
')
domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
allow $1 postfix_master_t:fd use;
allow postfix_master_t $1:fd use;
allow postfix_master_t $1:fifo_file rw_file_perms;
allow postfix_master_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_master'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_exec_master',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_exec_master'($*)) dnl
gen_require(`
type postfix_master_exec_t;
')
can_exec($1,postfix_master_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_exec_master'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## postfix_master domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_smtp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_smtp'($*)) dnl
gen_require(`
type postfix_smtp_t, postfix_smtp_exec_t;
')
domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
allow postfix_smtp_t $1:fd use;
allow postfix_smtp_t $1:fifo_file rw_file_perms;
allow postfix_smtp_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_smtp'($*)) dnl
')
########################################
##
## Search postfix mail spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_search_spool'($*)) dnl
gen_require(`
type postfix_spool_t;
')
allow $1 postfix_spool_t:dir search_dir_perms;
files_search_spool($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_search_spool'($*)) dnl
')
########################################
##
## List postfix mail spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_list_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_list_spool'($*)) dnl
gen_require(`
type postfix_spool_t;
')
allow $1 postfix_spool_t:dir list_dir_perms;
files_search_spool($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_list_spool'($*)) dnl
')
########################################
##
## Read postfix mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_read_spool_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_spool_files'($*)) dnl
gen_require(`
type postfix_spool_t;
')
files_search_spool($1)
allow $1 postfix_spool_t:dir r_dir_perms;
allow $1 postfix_spool_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_spool_files'($*)) dnl
')
########################################
##
## Manage postfix mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_manage_spool_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_files'($*)) dnl
gen_require(`
type postfix_spool_t;
')
files_search_spool($1)
manage_files_pattern($1,postfix_spool_t, postfix_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_manage_spool_files'($*)) dnl
')
########################################
##
## Execute postfix user mail programs
## in their respective domains.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_user_mail_handler',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_user_mail_handler'($*)) dnl
gen_require(`
attribute postfix_user_domtrans;
')
typeattribute $1 postfix_user_domtrans;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_user_mail_handler'($*)) dnl
')
########################################
##
## Create a named socket in a postfix private directory.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_create_private_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_create_private_sockets'($*)) dnl
gen_require(`
type postfix_private_t;
')
allow $1 postfix_private_t:dir rw_dir_perms;
allow $1 postfix_private_t:sock_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_create_private_sockets'($*)) dnl
')
########################################
##
## Execute the master postdrop in the
## postfix_postdrop domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_postdrop',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postdrop'($*)) dnl
gen_require(`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_postdrop'($*)) dnl
')
## PostgreSQL relational database
########################################
##
## Allow the specified domain to search postgresql's database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_search_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_search_db'($*)) dnl
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_search_db'($*)) dnl
')
########################################
##
## Allow the specified domain to manage postgresql's database.
##
##
##
## Domain allowed access.
##
##
define(`postgresql_manage_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_manage_db'($*)) dnl
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
allow $1 postgresql_db_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_manage_db'($*)) dnl
')
########################################
##
## Execute postgresql in the postgresql domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`postgresql_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_domtrans'($*)) dnl
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domain_auto_trans($1,postgresql_exec_t,postgresql_t)
allow $1 postgresql_t:fd use;
allow postgresql_t $1:fd use;
allow postgresql_t $1:fifo_file rw_file_perms;
allow postgresql_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to read postgresql's etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`postgresql_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_read_config'($*)) dnl
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir { getattr read search };
allow $1 postgresql_etc_t:file { read getattr };
allow $1 postgresql_etc_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_tcp_connect'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to postgresql with a unix socket.
##
##
##
## Domain allowed access.
##
##
##
#
define(`postgresql_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgresql_stream_connect'($*)) dnl
gen_require(`
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
files_search_pids($1)
allow $1 postgresql_t:unix_stream_socket connectto;
allow $1 postgresql_var_run_t:sock_file write;
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgresql_stream_connect'($*)) dnl
')
## Postfix grey-listing server
########################################
##
## Write to postgrey socket
##
##
##
## Domain allowed to talk to postgrey
##
##
#
define(`postgrey_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgrey_stream_connect'($*)) dnl
gen_require(`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
allow $1 postgrey_t:unix_stream_socket connectto;
write_sock_files_pattern($1, postgrey_var_run_t, postgrey_var_run_t)
write_sock_files_pattern($1, postgrey_spool_t, postgrey_spool_t)
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgrey_stream_connect'($*)) dnl
')
########################################
##
## Search the spool directory
##
##
##
## Domain allowed access
##
##
#
define(`postgrey_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgrey_search_spool'($*)) dnl
gen_require(`
type postgrey_spool_t;
')
allow $1 postgrey_spool_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgrey_search_spool'($*)) dnl
')
########################################
##
## Execute postgrey server in the postgrey domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`postgrey_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `postgrey_script_domtrans'($*)) dnl
gen_require(`
type postgrey_script_exec_t;
')
init_script_domtrans_spec($1, postgrey_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `postgrey_script_domtrans'($*)) dnl
')
## Point to Point Protocol daemon creates links in ppp networks
########################################
##
## Use PPP file discriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_use_fds'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## and use PPP file discriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`ppp_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_dontaudit_use_fds'($*)) dnl
gen_require(`
type pppd_t;
')
dontaudit $1 pppd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_sigchld'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_sigchld'($*)) dnl
')
########################################
##
## Send a signull to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_signull'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_signull'($*)) dnl
')
########################################
##
## Send ppp a sigkill
##
##
##
## Domain allowed access.
##
##
#
#
define(`ppp_sigkill',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_sigkill'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_sigkill'($*)) dnl
')
########################################
##
## Send a generic signal to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_signal'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_signal'($*)) dnl
')
########################################
##
## Execute domain in the ppp domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_domtrans'($*)) dnl
gen_require(`
type pppd_t, pppd_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, pppd_exec_t, pppd_t)
allow $1 pppd_t:fd use;
allow pppd_t $1:fd use;
allow pppd_t $1:fifo_file rw_file_perms;
allow pppd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_domtrans'($*)) dnl
')
########################################
##
## Conditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ppp_run_cond',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_run_cond'($*)) dnl
gen_require(`
type pppd_t;
')
role $2 types pppd_t;
tunable_policy(`pppd_for_user',`
ppp_domtrans($1)
allow pppd_t $3:chr_file rw_term_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_run_cond'($*)) dnl
')
########################################
##
## Unconditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ppp_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_run'($*)) dnl
gen_require(`
type pppd_t;
')
ppp_domtrans($1)
role $2 types pppd_t;
allow pppd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_run'($*)) dnl
')
########################################
##
## Execute domain in the ppp caller.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_exec'($*)) dnl
gen_require(`
type pppd_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, pppd_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_exec'($*)) dnl
')
########################################
##
## Read ppp configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_config'($*)) dnl
gen_require(`
type pppd_etc_t;
')
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_config'($*)) dnl
')
########################################
##
## Read PPP-writable configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_rw_config'($*)) dnl
gen_require(`
type pppd_etc_t, pppd_etc_rw_t;
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file { getattr read };
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_rw_config'($*)) dnl
')
########################################
##
## Read PPP secrets.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_secrets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_secrets'($*)) dnl
gen_require(`
type pppd_etc_t, pppd_secret_t;
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file { getattr read };
files_search_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_secrets'($*)) dnl
')
########################################
##
## Read PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_pid_files'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
allow $1 pppd_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_manage_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_manage_pid_files'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
allow $1 pppd_var_run_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_manage_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_pid_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ppp_pid_filetrans'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
files_pid_filetrans($1,pppd_var_run_t,file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ppp_pid_filetrans'($*)) dnl
')
## Prelude hybrid intrusion detection system
########################################
##
## Execute a domain transition to run prelude.
##
##
##
## Domain allowed access.
##
##
#
define(`prelude_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_domtrans'($*)) dnl
gen_require(`
type prelude_t, prelude_exec_t;
')
domtrans_pattern($1, prelude_exec_t, prelude_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run prelude_audisp.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelude_domtrans_audisp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_domtrans_audisp'($*)) dnl
gen_require(`
type prelude_audisp_t, prelude_audisp_exec_t;
')
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_domtrans_audisp'($*)) dnl
')
########################################
##
## Signal the prelude_audisp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelude_signal_audisp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_signal_audisp'($*)) dnl
gen_require(`
type prelude_audisp_t;
')
allow $1 prelude_audisp_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_signal_audisp'($*)) dnl
')
########################################
##
## Read the prelude spool files
##
##
##
## Domain allowed access.
##
##
#
define(`prelude_read_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_read_spool'($*)) dnl
gen_require(`
type prelude_spool_t;
')
files_search_spool($1)
read_files_pattern($1, prelude_spool_t, prelude_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_read_spool'($*)) dnl
')
########################################
##
## Manage to prelude-manager spool files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelude_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_manage_spool'($*)) dnl
gen_require(`
type prelude_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_manage_spool'($*)) dnl
')
########################################
##
## Execute prelude server in the prelude domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`prelude_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_script_domtrans'($*)) dnl
gen_require(`
type prelude_script_exec_t;
')
init_script_domtrans_spec($1, prelude_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_script_domtrans'($*)) dnl
')
########################################
##
## Execute prelude lml server in the prelude lml domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`prelude_lml_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_lml_script_domtrans'($*)) dnl
gen_require(`
type prelude_lml_script_exec_t;
')
init_script_domtrans_spec($1, prelude_lml_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_lml_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an prelude environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`prelude_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `prelude_admin'($*)) dnl
gen_require(`
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
type prelude_script_exec_t;
type prelude_lml_t, prelude_lml_tmp_t;
type prelude_lml_var_run_t;
type prelude_lml_script_exec_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_t)
allow $1 prelude_audisp_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_audisp_t)
allow $1 prelude_lml_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_lml_t)
# Allow prelude_t to restart the apache service
prelude_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 prelude_script_exec_t system_r;
allow $2 system_r;
# Allow prelude_t to restart the apache service
prelude_lml_script_domtrans($1)
role_transition $2 prelude_lml_script_exec_t system_r;
admin_pattern($1, prelude_spool_t)
admin_pattern($1, prelude_var_lib_t)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
admin_pattern($1, prelude_lml_tmp_t)
admin_pattern($1, prelude_lml_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `prelude_admin'($*)) dnl
')
## Privacy enhancing web proxy.
## Procmail mail delivery agent
########################################
##
## Execute procmail with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `procmail_domtrans'($*)) dnl
gen_require(`
type procmail_exec_t, procmail_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,procmail_exec_t,procmail_t)
allow $1 procmail_t:fd use;
allow procmail_t $1:fd use;
allow procmail_t $1:fifo_file rw_file_perms;
allow procmail_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `procmail_domtrans'($*)) dnl
')
########################################
##
## Execute procmail in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `procmail_exec'($*)) dnl
gen_require(`
type procmail_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,procmail_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `procmail_exec'($*)) dnl
')
########################################
##
## Read procmail tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `procmail_read_tmp_files'($*)) dnl
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
allow $1 procmail_tmp_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `procmail_read_tmp_files'($*)) dnl
')
########################################
##
## Read/write procmail tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_rw_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `procmail_rw_tmp_files'($*)) dnl
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `procmail_rw_tmp_files'($*)) dnl
')
## publicfile supplies files to the public through HTTP and FTP
## Server for the PXE network boot protocol
## Pyzor is a distributed, collaborative spam detection and filtering network.
########################################
##
## Execute pyzor with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`pyzor_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pyzor_domtrans'($*)) dnl
gen_require(`
type pyzor_exec_t, pyzor_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,pyzor_exec_t,pyzor_t)
allow $1 pyzor_t:fd use;
allow pyzor_t $1:fd use;
allow pyzor_t $1:fifo_file rw_file_perms;
allow pyzor_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pyzor_domtrans'($*)) dnl
')
########################################
##
## Execute pyzor in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`pyzor_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pyzor_exec'($*)) dnl
gen_require(`
type pyzor_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pyzor_exec'($*)) dnl
')
#######################################
##
## The per role template for the pyzor module.
##
##
##
## This template allows pyzor to manage files in
## a user home directory, creating files with the
## correct type.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`pyzor_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pyzor_per_role_template'($*)) dnl
type $1_pyzor_home_t;
userdom_user_home_content($1,$1_pyzor_home_t)
allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
allow pyzord_t $1_pyzor_home_t:file create_file_perms;
allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
userdom_search_user_home_dirs($1,pyzord_t)
userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pyzor_per_role_template'($*)) dnl
')
########################################
##
## Send generic signals to pyzor
##
##
##
## Domain allowed access.
##
##
#
define(`pyzor_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pyzor_signal'($*)) dnl
gen_require(`
type pyzor_t;
')
allow $1 pyzor_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pyzor_signal'($*)) dnl
')
## Qmail Mail Server
#######################################
##
## The per role template for qmail
##
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`qmail_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_per_role_template'($*)) dnl
gen_require(`
attribute qmail_user_domains;
')
role $3 types qmail_user_domains;
qmail_domtrans_inject($2)
allow qmail_user_domains $2:process sigchld;
allow qmail_user_domains $2:fifo_file { write getattr };
allow qmail_user_domains $2:fd use;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_per_role_template'($*)) dnl
')
########################################
##
## Template for qmail parent/sub-domain pairs
##
##
##
## The prefix of the child domain
##
##
##
##
## The name of the parent domain.
##
##
#
define(`qmail_child_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_child_domain_template'($*)) dnl
type $1_t;
domain_type($1_t)
type $1_exec_t;
domain_entry_file($1_t,$1_exec_t)
domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
allow $1_t self:process signal_perms;
allow $1_t $2:fd use;
allow $1_t $2:fifo_file rw_file_perms;
allow $1_t $2:process sigchld;
allow $1_t qmail_etc_t:dir { getattr read search };
allow $1_t qmail_etc_t:file { getattr read };
allow $1_t qmail_etc_t:lnk_file { getattr read };
allow $1_t qmail_start_t:fd use;
kernel_list_proc($2)
kernel_read_proc_symlinks($2)
corecmd_search_bin($1_t)
files_search_var($1_t)
fs_getattr_xattr_fs($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
miscfiles_read_localization($1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_child_domain_template'($*)) dnl
')
########################################
##
## Transition to qmail_inject_t
##
##
##
## Domain allowed access
##
##
#
define(`qmail_domtrans_inject',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_domtrans_inject'($*)) dnl
gen_require(`
type qmail_inject_t;
type qmail_inject_exec_t;
')
domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
allow qmail_inject_t $1:fd use;
allow qmail_inject_t $1:fifo_file { read write };
allow qmail_inject_t $1:process sigchld;
ifdef(`distro_debian',`
files_search_usr($1)
corecmd_search_sbin($1)
',`
files_search_var($1)
corecmd_search_bin($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_domtrans_inject'($*)) dnl
')
########################################
##
## Transition to qmail_queue_t
##
##
##
## Domain allowed access
##
##
#
define(`qmail_domtrans_queue',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_domtrans_queue'($*)) dnl
gen_require(`
type qmail_queue_t;
type qmail_queue_exec_t;
')
domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
allow qmail_queue_t $1:fd use;
allow qmail_queue_t $1:fifo_file { read write };
allow qmail_queue_t $1:process sigchld;
ifdef(`distro_debian',`
files_search_usr($1)
corecmd_search_sbin($1)
',`
files_search_var($1)
corecmd_search_bin($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_domtrans_queue'($*)) dnl
')
########################################
##
## Read qmail configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`qmail_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_read_config'($*)) dnl
gen_require(`
type qmail_etc_t;
')
allow $1 qmail_etc_t:dir { getattr read search };
allow $1 qmail_etc_t:file { getattr read };
allow $1 qmail_etc_t:lnk_file { getattr read };
files_search_var($1)
ifdef(`distro_debian',`
# handle /etc/qmail
files_search_etc($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_read_config'($*)) dnl
')
########################################
##
## Define the specified domain as a qmail-smtp service.
## Needed by antivirus/antispam filters.
##
##
##
## Domain allowed access
##
##
##
##
## The type associated with the process program.
##
##
#
define(`qmail_smtpd_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `qmail_smtpd_service_domain'($*)) dnl
gen_require(`
type qmail_smtpd_t;
')
domain_auto_trans(qmail_smtpd_t, $2, $1)
allow $1 qmail_smtpd_t:fd use;
allow $1 qmail_smtpd_t:fifo_file { read write };
allow $1 qmail_smtpd_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `qmail_smtpd_service_domain'($*)) dnl
')
## RADIUS authentication and accounting server.
########################################
##
## Use radius over a UDP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`radius_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `radius_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `radius_use'($*)) dnl
')
## IPv6 router advertisement daemon
## A distributed, collaborative, spam detection and filtering network.
##
##
## A distributed, collaborative, spam detection and filtering network.
##
##
## This policy will work with either the ATrpms provided config
## file in /etc/razor, or with the default of dumping everything into
## $HOME/.razor.
##
##
#######################################
##
## Template to create types and rules common to
## all razor domains.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`razor_common_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `razor_common_domain_template'($*)) dnl
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:tcp_socket create_socket_perms;
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
allow $1_t razor_log_t:dir manage_dir_perms;
allow $1_t razor_log_t:file manage_file_perms;
allow $1_t razor_log_t:lnk_file create_lnk_perms;
logging_log_filetrans($1_t,razor_log_t,file)
allow $1_t razor_var_lib_t:dir manage_dir_perms;
allow $1_t razor_var_lib_t:file manage_file_perms;
allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
dev_read_urand($1_t)
files_search_pids($1_t)
# Allow access to various files in the /etc/directory including mtab
# and nsswitch
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
fs_search_auto_mountpoints($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_read_lib_files($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
userdom_use_unpriv_users_fds($1_t)
optional_policy(`
nis_use_ypbind($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `razor_common_domain_template'($*)) dnl
')
#######################################
##
## The per role template for the razor module.
##
##
##
## The per role template for the razor module.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`razor_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `razor_per_role_template'($*)) dnl
type $1_razor_t;
domain_type($1_razor_t)
domain_entry_file($1_razor_t,razor_exec_t)
razor_common_domain_template($1_razor)
role $3 types $1_razor_t;
type $1_razor_home_t alias $1_razor_rw_t;
files_poly_member($1_razor_home_t)
userdom_user_home_content($1,$1_razor_home_t)
type $1_razor_tmp_t;
files_tmp_file($1_razor_tmp_t)
##############################
#
# Local policy
#
allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
allow $1_razor_t $1_razor_home_t:file manage_file_perms;
allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
domain_auto_trans($2, razor_exec_t, $1_razor_t)
allow $1_razor_t $2:fd use;
allow $1_razor_t $2:fifo_file rw_file_perms;
allow $1_razor_t $2:process sigchld;
allow $2 $1_razor_home_t:dir manage_dir_perms;
allow $2 $1_razor_home_t:file manage_file_perms;
allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };
logging_send_syslog_msg($1_razor_t)
userdom_search_user_home_dirs($1,$1_razor_t)
# Allow razor to be run by hand. Needed by any action other than
# invocation from a spam filter.
userdom_use_user_terminals($1,$1_razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_razor_t)
fs_manage_nfs_files($1_razor_t)
fs_manage_nfs_symlinks($1_razor_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_razor_t)
fs_manage_cifs_files($1_razor_t)
fs_manage_cifs_symlinks($1_razor_t)
')
optional_policy(`
nscd_socket_use($1_razor_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `razor_per_role_template'($*)) dnl
')
########################################
##
## Execute razor in the system razor domain.
##
##
##
## Domain allowed access.
##
##
#
define(`razor_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `razor_domtrans'($*)) dnl
gen_require(`
type razor_t, razor_exec_t;
')
domain_auto_trans($1, razor_exec_t, razor_t)
allow razor_t $1:fd use;
allow razor_t $1:fifo_file rw_file_perms;
allow razor_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `razor_domtrans'($*)) dnl
')
########################################
##
## Create, read, write, and delete razor files
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete razor files
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`razor_manage_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `razor_manage_user_home_files'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_razor_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
read_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `razor_manage_user_home_files'($*)) dnl
')
########################################
##
## read razor lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`razor_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `razor_read_lib_files'($*)) dnl
gen_require(`
type razor_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, razor_var_lib_t, razor_var_lib_t)
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `razor_read_lib_files'($*)) dnl
')
## Network router discovery daemon
## Policy for rshd, rlogind, and telnetd.
########################################
##
## Domain transition to the remote login domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`remotelogin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `remotelogin_domtrans'($*)) dnl
gen_require(`
type remote_login_t;
')
auth_domtrans_login_program($1,remote_login_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `remotelogin_domtrans'($*)) dnl
')
########################################
##
## allow Domain to signal remote login domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`remotelogin_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `remotelogin_signal'($*)) dnl
gen_require(`
type remote_login_t;
')
allow $1 remote_login_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `remotelogin_signal'($*)) dnl
')
## Resource management daemon
########################################
##
## Connect to resmgrd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`resmgr_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `resmgr_stream_connect'($*)) dnl
gen_require(`
type resmgrd_var_run_t, resmgrd_t;
')
allow $1 resmgrd_t:unix_stream_socket connectto;
allow $1 resmgrd_var_run_t:sock_file { getattr write };
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `resmgr_stream_connect'($*)) dnl
')
## Red Hat Graphical Boot
########################################
##
## RHGB stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`rhgb_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_stub'($*)) dnl
gen_require(`
type rhgb_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_stub'($*)) dnl
')
########################################
##
## Use a rhgb file descriptor.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_use_fds'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_use_fds'($*)) dnl
')
########################################
##
## Read and write to unix stream sockets.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_stream_sockets'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## rhgb unix domain stream sockets.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_dontaudit_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type rhgb_t;
')
dontaudit $1 rhgb_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Connected to rhgb unix stream socket.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_stream_connect'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_stream_connect'($*)) dnl
')
########################################
##
## Read and write to rhgb shared memory.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_rw_shm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_shm'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:shm rw_shm_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_shm'($*)) dnl
')
########################################
##
## Read and write to rhgb temporary file system.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rhgb_rw_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_tmpfs_files'($*)) dnl
gen_require(`
type rhgb_tmpfs_t;
')
allow $1 rhgb_tmpfs_t:file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Read from and write to the rhgb devpts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rhgb_use_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_use_ptys'($*)) dnl
gen_require(`
type rhgb_devpts_t;
')
allow $1 rhgb_devpts_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_use_ptys'($*)) dnl
')
########################################
##
## dontaudit Read from and write to the rhgb devpts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rhgb_dontaudit_use_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_use_ptys'($*)) dnl
gen_require(`
type rhgb_devpts_t;
')
dontaudit $1 rhgb_devpts_t:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_use_ptys'($*)) dnl
')
########################################
##
## Get the process group of rhgb.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_getpgid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_getpgid'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:process getpgid;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_getpgid'($*)) dnl
')
########################################
##
## Send a signal to rhgb.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rhgb_signal'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rhgb_signal'($*)) dnl
')
## Ricci cluster management agent
########################################
##
## Execute a domain transition to run ricci.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans'($*)) dnl
gen_require(`
type ricci_t, ricci_exec_t;
')
domain_auto_trans($1,ricci_exec_t,ricci_t)
allow ricci_t $1:fd use;
allow ricci_t $1:fifo_file rw_file_perms;
allow ricci_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modcluster.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modcluster',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modcluster'($*)) dnl
gen_require(`
type ricci_modcluster_t, ricci_modcluster_exec_t;
')
domain_auto_trans($1,ricci_modcluster_exec_t,ricci_modcluster_t)
allow ricci_modcluster_t $1:fd use;
allow ricci_modcluster_t $1:fifo_file rw_file_perms;
allow ricci_modcluster_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modcluster'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## ricci_modcluster file descriptors.
##
##
##
## The type of process not to audit.
##
##
#
define(`ricci_dontaudit_use_modcluster_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_use_modcluster_fds'($*)) dnl
gen_require(`
type ricci_modcluster_t;
')
dontaudit $1 ricci_modcluster_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_dontaudit_use_modcluster_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read write
## ricci_modcluster unamed pipes.
##
##
##
## The type of process not to audit.
##
##
#
define(`ricci_dontaudit_rw_modcluster_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl
gen_require(`
type ricci_modcluster_t;
')
dontaudit $1 ricci_modcluster_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl
')
########################################
##
## Connect to ricci_modclusterd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ricci_stream_connect_modclusterd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_stream_connect_modclusterd'($*)) dnl
gen_require(`
type ricci_modclusterd_t, ricci_modcluster_var_run_t;
')
files_search_pids($1)
allow $1 ricci_modcluster_var_run_t:sock_file write;
allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_stream_connect_modclusterd'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modlog.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modlog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modlog'($*)) dnl
gen_require(`
type ricci_modlog_t, ricci_modlog_exec_t;
')
domain_auto_trans($1,ricci_modlog_exec_t,ricci_modlog_t)
allow ricci_modlog_t $1:fd use;
allow ricci_modlog_t $1:fifo_file rw_file_perms;
allow ricci_modlog_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modlog'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modrpm.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modrpm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modrpm'($*)) dnl
gen_require(`
type ricci_modrpm_t, ricci_modrpm_exec_t;
')
domain_auto_trans($1,ricci_modrpm_exec_t,ricci_modrpm_t)
allow ricci_modrpm_t $1:fd use;
allow ricci_modrpm_t $1:fifo_file rw_file_perms;
allow ricci_modrpm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modrpm'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modservice.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modservice',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modservice'($*)) dnl
gen_require(`
type ricci_modservice_t, ricci_modservice_exec_t;
')
domain_auto_trans($1,ricci_modservice_exec_t,ricci_modservice_t)
allow ricci_modservice_t $1:fd use;
allow ricci_modservice_t $1:fifo_file rw_file_perms;
allow ricci_modservice_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modservice'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modstorage.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modstorage',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modstorage'($*)) dnl
gen_require(`
type ricci_modstorage_t, ricci_modstorage_exec_t;
')
domain_auto_trans($1,ricci_modstorage_exec_t,ricci_modstorage_t)
allow ricci_modstorage_t $1:fd use;
allow ricci_modstorage_t $1:fifo_file rw_file_perms;
allow ricci_modstorage_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modstorage'($*)) dnl
')
## Remote login daemon
########################################
##
## Execute rlogind in the rlogin domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rlogin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rlogin_domtrans'($*)) dnl
gen_require(`
type rlogind_t, rlogind_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,rlogind_exec_t,rlogind_t)
allow $1 rlogind_t:fd use;
allow rlogind_t $1:fd use;
allow rlogind_t $1:fifo_file rw_file_perms;
allow rlogind_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rlogin_domtrans'($*)) dnl
')
## Roundup Issue Tracking System policy
## Remote Procedure Call Daemon for managment of network based process communication
########################################
##
## RPC stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`rpc_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_stub'($*)) dnl
gen_require(`
type exports_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_stub'($*)) dnl
')
#######################################
##
## The template to define a rpc domain.
##
##
##
## This template creates a domain to be used for
## a new rpc daemon.
##
##
##
##
## The type of daemon to be used.
##
##
#
define(`rpc_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_domain_template'($*)) dnl
########################################
#
# Declarations
#
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t,$1_exec_t)
domain_use_interactive_fds($1_t)
####################################
#
# Local Policy
#
dontaudit $1_t self:capability { net_admin sys_tty_config };
allow $1_t self:capability net_bind_service;
allow $1_t self:process signal_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:netlink_route_socket r_netlink_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
allow $1_t var_lib_nfs_t:dir create_dir_perms;
allow $1_t var_lib_nfs_t:file create_file_perms;
kernel_list_proc($1_t)
kernel_read_proc_symlinks($1_t)
kernel_read_kernel_sysctls($1_t)
# bind to arbitary unused ports
kernel_rw_rpc_sysctls($1_t)
dev_read_sysfs($1_t)
dev_read_urand($1_t)
dev_read_rand($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
corenet_udp_bind_reserved_port($1_t)
corenet_sendrecv_generic_server_packets($1_t)
corenet_tcp_bind_all_rpc_ports($1_t)
corenet_udp_bind_all_rpc_ports($1_t)
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
term_dontaudit_use_console($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_search_var($1_t)
files_search_var_lib($1_t)
init_use_fds($1_t)
init_use_script_ptys($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
logging_send_syslog_msg($1_t)
miscfiles_read_localization($1_t)
sysnet_dns_name_resolve($1_t)
sysnet_read_config($1_t)
userdom_dontaudit_use_unpriv_user_fds($1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
term_dontaudit_use_generic_ptys($1_t)
files_dontaudit_read_root_files($1_t)
')
optional_policy(`
nis_use_ypbind($1_t)
')
optional_policy(`
seutil_sigchld_newrole($1_t)
')
optional_policy(`
udev_read_db($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_domain_template'($*)) dnl
')
########################################
##
## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpc_udp_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_send'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the NFS export file.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpc_dontaudit_getattr_exports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_dontaudit_getattr_exports'($*)) dnl
gen_require(`
type exports_t;
')
dontaudit $1 exports_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_dontaudit_getattr_exports'($*)) dnl
')
########################################
##
## Allow read access to exports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpc_read_exports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_exports'($*)) dnl
gen_require(`
type exports_t;
')
allow $1 exports_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_exports'($*)) dnl
')
########################################
##
## Allow write access to exports.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpc_write_exports',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_write_exports'($*)) dnl
gen_require(`
type exports_t;
')
allow $1 exports_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_write_exports'($*)) dnl
')
########################################
##
## Execute domain in nfsd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rpc_domtrans_nfsd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_domtrans_nfsd'($*)) dnl
gen_require(`
type nfsd_t, nfsd_exec_t;
')
domain_auto_trans($1,nfsd_exec_t,nfsd_t)
allow $1 nfsd_t:fd use;
allow nfsd_t $1:fd use;
allow nfsd_t $1:fifo_file rw_file_perms;
allow nfsd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_domtrans_nfsd'($*)) dnl
')
########################################
##
## Read NFS exported content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rpc_read_nfs_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_content'($*)) dnl
gen_require(`
type nfsd_ro_t, nfsd_rw_t;
')
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_nfs_content'($*)) dnl
')
########################################
##
## Allow domain to create read and write NFS directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rpc_manage_nfs_rw_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_rw_content'($*)) dnl
gen_require(`
type nfsd_rw_t;
')
allow $1 nfsd_rw_t:dir manage_dir_perms;
allow $1 nfsd_rw_t:file manage_file_perms;
allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_rw_content'($*)) dnl
')
########################################
##
## Allow domain to create read and write NFS directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rpc_manage_nfs_ro_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_ro_content'($*)) dnl
gen_require(`
type nfsd_ro_t;
')
allow $1 nfsd_ro_t:dir manage_dir_perms;
allow $1 nfsd_ro_t:file manage_file_perms;
allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_ro_content'($*)) dnl
')
########################################
##
## Allow domain to read and write to an NFS UDP socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_udp_rw_nfs_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_rw_nfs_sockets'($*)) dnl
gen_require(`
type nfsd_t;
')
allow $1 nfsd_t:udp_socket rw_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_rw_nfs_sockets'($*)) dnl
')
########################################
##
## Send UDP traffic to NFSd. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_udp_send_nfs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_send_nfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_send_nfs'($*)) dnl
')
########################################
##
## Search NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_search_nfs_state_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_search_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_search_nfs_state_data'($*)) dnl
')
########################################
##
## Read NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_read_nfs_state_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search_dir_perms;
allow $1 var_lib_nfs_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_nfs_state_data'($*)) dnl
')
########################################
##
## Manage NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_manage_nfs_state_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data'($*)) dnl
')
## Remote shell service.
########################################
##
## Domain transition to rshd.
##
##
##
## The type of the process performing this action.
##
##
#
define(`rshd_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rshd_domtrans'($*)) dnl
gen_require(`
type rshd_exec_t, rshd_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,rshd_exec_t,rshd_t)
allow $1 rshd_t:fd use;
allow rshd_t $1:fd use;
allow rshd_t $1:fifo_file rw_file_perms;
allow rshd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rshd_domtrans'($*)) dnl
')
## Fast incremental file transfer for synchronization
########################################
##
## Make rsync an entry point for
## the specified domain.
##
##
##
## The domain for which init scripts are an entrypoint.
##
##
# cjp: added for portage
define(`rsync_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_type'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_entry_file($1,rsync_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_type'($*)) dnl
')
########################################
##
## Execute a rsync in a specified domain.
##
##
##
## Execute a rsync in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain to transition from.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for portage
define(`rsync_entry_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_spec_domtrans'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_trans($1,rsync_exec_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a rsync in a specified domain.
##
##
##
## Execute a rsync in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain to transition from.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for portage
define(`rsync_entry_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_domtrans'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_auto_trans($1,rsync_exec_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_domtrans'($*)) dnl
')
########################################
##
## Execute rsync in the caller domain domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rsync_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `rsync_exec'($*)) dnl
gen_require(`
type rsync_exec_t;
')
can_exec($1,rsync_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `rsync_exec'($*)) dnl
')
##
## SMB and CIFS client/server programs for UNIX and
## name Service Switch daemon for resolving names
## from Windows NT servers.
##
#######################################
##
## The per role template for the samba module.
##
##
##
## This template allows smbd to manage files in
## a user home directory, creating files with the
## correct type.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`samba_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_per_role_template'($*)) dnl
gen_require(`
type smbd_t;
')
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_user_home_content_dirs($1,smbd_t)
userdom_manage_user_home_content_files($1,smbd_t)
userdom_manage_user_home_content_symlinks($1,smbd_t)
userdom_manage_user_home_content_sockets($1,smbd_t)
userdom_manage_user_home_content_pipes($1,smbd_t)
userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_per_role_template'($*)) dnl
')
########################################
##
## Execute samba net in the samba_net domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`samba_domtrans_net',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_net'($*)) dnl
gen_require(`
type samba_net_t, samba_net_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,samba_net_exec_t,samba_net_t)
allow $1 samba_net_t:fd use;
allow samba_net_t $1:fd use;
allow samba_net_t $1:fifo_file rw_file_perms;
allow samba_net_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_net'($*)) dnl
')
########################################
##
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the samba_net domain.
##
##
##
##
## The type of the terminal allow the samba_net domain to use.
##
##
##
#
define(`samba_run_net',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_run_net'($*)) dnl
gen_require(`
type samba_net_t;
')
samba_domtrans_net($1)
role $2 types samba_net_t;
allow samba_net_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_run_net'($*)) dnl
')
########################################
##
## Execute smbmount in the smbmount domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`samba_domtrans_smbmount',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbmount'($*)) dnl
gen_require(`
type smbmount_t, smbmount_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,smbmount_exec_t,smbmount_t)
allow $1 smbmount_t:fd use;
allow smbmount_t $1:fd use;
allow smbmount_t $1:fifo_file rw_file_perms;
allow smbmount_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_smbmount'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## samba configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_config'($*)) dnl
gen_require(`
type samba_etc_t;
')
files_search_etc($1)
allow $1 samba_etc_t:dir search_dir_perms;
allow $1 samba_etc_t:file { read getattr lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write samba configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_config'($*)) dnl
gen_require(`
type samba_etc_t;
')
files_search_etc($1)
allow $1 samba_etc_t:dir search_dir_perms;
allow $1 samba_etc_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
allow $1 samba_log_t:dir r_dir_perms;
allow $1 samba_log_t:file { read getattr lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append to samba's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_append_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
allow $1 samba_log_t:dir r_dir_perms;
allow $1 samba_log_t:file append_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_append_log'($*)) dnl
')
########################################
##
## Execute samba log in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`samba_exec_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_exec_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
can_exec($1,samba_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_exec_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's secrets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_secrets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_secrets'($*)) dnl
gen_require(`
type samba_secrets_t;
')
files_search_etc($1)
allow $1 samba_secrets_t:file { read getattr lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_secrets'($*)) dnl
')
########################################
##
## Allow the specified domain to search
## samba /var directories.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_search_var',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_search_var'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
allow $1 samba_var_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_search_var'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1,samba_var_t,samba_var_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read and write samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_rw_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
allow $1 samba_var_t:dir search_dir_perms;
allow $1 samba_var_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to
## create, read and write samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_manage_var_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
allow $1 samba_var_t:dir rw_dir_perms;
allow $1 samba_var_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to write to smbmount tcp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_write_smbmount_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_write_smbmount_tcp_sockets'($*)) dnl
gen_require(`
type smbmount_t;
')
allow $1 smbmount_t:tcp_socket write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_write_smbmount_tcp_sockets'($*)) dnl
')
########################################
##
## Allow the specified domain to read and write to smbmount tcp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_rw_smbmount_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_smbmount_tcp_sockets'($*)) dnl
gen_require(`
type smbmount_t;
')
allow $1 smbmount_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_smbmount_tcp_sockets'($*)) dnl
')
########################################
##
## Execute winbind_helper in the winbind_helper domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`samba_domtrans_winbind_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_winbind_helper'($*)) dnl
gen_require(`
type winbind_helper_t, winbind_helper_exec_t;
')
domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t)
allow $1 winbind_helper_t:fd use;
allow winbind_helper_t $1:fd use;
allow winbind_helper_t $1:fifo_file rw_file_perms;
allow winbind_helper_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_winbind_helper'($*)) dnl
')
########################################
##
## Execute winbind_helper in the winbind_helper domain, and
## allow the specified role the winbind_helper domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the winbind_helper domain.
##
##
##
##
## The type of the terminal allow the winbind_helper domain to use.
##
##
##
#
define(`samba_run_winbind_helper',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_run_winbind_helper'($*)) dnl
gen_require(`
type winbind_helper_t;
')
samba_domtrans_winbind_helper($1)
role $2 types winbind_helper_t;
allow winbind_helper_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_run_winbind_helper'($*)) dnl
')
########################################
##
## Allow the specified domain to read the winbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_winbind_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_winbind_pid'($*)) dnl
gen_require(`
type winbind_var_run_t;
')
files_search_pids($1)
allow $1 winbind_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_winbind_pid'($*)) dnl
')
########################################
##
## Connect to winbind.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_stream_connect_winbind',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_stream_connect_winbind'($*)) dnl
gen_require(`
type samba_var_t, winbind_t, winbind_var_run_t;
')
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
allow $1 winbind_var_run_t:dir search_dir_perms;
allow $1 winbind_var_run_t:sock_file { getattr read write };
allow $1 winbind_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_stream_connect_winbind'($*)) dnl
')
########################################
##
## Do not audit attempts to use file descriptors from samba.
##
##
##
## Domain to not audit.
##
##
#
define(`samba_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_dontaudit_use_fds'($*)) dnl
gen_require(`
type smbd_t;
')
dontaudit $1 smbd_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's shares
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_share_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_read_share_files'($*)) dnl
gen_require(`
type samba_share_t;
')
allow $1 samba_share_t:filesystem getattr;
read_files_pattern($1, samba_share_t, samba_share_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_read_share_files'($*)) dnl
')
########################################
##
## Execute a domain transition to run smbcontrol.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_smbcontrol',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbcontrol'($*)) dnl
gen_require(`
type smbcontrol_t;
type smbcontrol_exec_t;
')
domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_smbcontrol'($*)) dnl
')
########################################
##
## Execute smbcontrol in the smbcontrol domain, and
## allow the specified role the smbcontrol domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the smbcontrol domain.
##
##
##
##
## The type of the role's terminal.
##
##
#
define(`samba_run_smbcontrol',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `samba_run_smbcontrol'($*)) dnl
gen_require(`
type smbcontrol_t;
')
samba_domtrans_smbcontrol($1)
role $2 types smbcontrol_t;
dontaudit smbcontrol_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `samba_run_smbcontrol'($*)) dnl
')
## SASL authentication server
########################################
##
## Connect to SASL.
##
##
##
## Domain allowed access.
##
##
#
define(`sasl_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sasl_connect'($*)) dnl
gen_require(`
type saslauthd_t, saslauthd_var_run_t;
')
files_search_pids($1)
allow $1 saslauthd_var_run_t:dir search;
allow $1 saslauthd_var_run_t:sock_file { read write };
allow $1 saslauthd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sasl_connect'($*)) dnl
')
## Policy for sendmail.
########################################
##
## Sendmail stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`sendmail_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_stub'($*)) dnl
gen_require(`
type sendmail_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_stub'($*)) dnl
')
########################################
##
## Domain transition to sendmail.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_domtrans'($*)) dnl
gen_require(`
type sendmail_t;
')
mta_sendmail_domtrans($1,sendmail_t)
allow $1 sendmail_t:fd use;
allow sendmail_t $1:fd use;
allow sendmail_t $1:fifo_file rw_file_perms;
allow sendmail_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_domtrans'($*)) dnl
')
########################################
##
## Read and write sendmail TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_tcp_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_tcp_sockets'($*)) dnl
')
########################################
##
##f allow domain to signal sendmail
##
##
##
## Domain to not audit.
##
##
#
define(`sendmail_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_signal'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_signal'($*)) dnl
')
########################################
##
## Read and write sendmail unix_stream_sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_rw_unix_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:unix_stream_socket { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## read sendmail logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sendmail_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_read_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_search_logs($1)
allow $1 sendmail_log_t:dir search_dir_perms;
allow $1 sendmail_log_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_read_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete sendmail logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sendmail_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_manage_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_search_logs($1)
allow $1 sendmail_log_t:dir manage_dir_perms;
allow $1 sendmail_log_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_manage_log'($*)) dnl
')
########################################
##
## Create sendmail logs with the correct type.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_create_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_create_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_log_filetrans($1,sendmail_log_t,file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_create_log'($*)) dnl
')
########################################
##
## Allow attempts to read and write to
## sendmail unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`sendmail_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_pipes'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_pipes'($*)) dnl
')
## SELinux troubleshooting service
########################################
##
## Connect to setroubleshootd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`setroubleshoot_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_stream_connect'($*)) dnl
gen_require(`
type setroubleshootd_t, setroubleshoot_var_run_t;
')
files_search_pids($1)
allow $1 setroubleshoot_var_run_t:sock_file write;
allow $1 setroubleshootd_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_stream_connect'($*)) dnl
')
## Service for downloading news feeds the slrn newsreader.
########################################
##
## Allow the domain to search slrnpull spools.
##
##
##
## domain allowed access
##
##
#
define(`slrnpull_search_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `slrnpull_search_spool'($*)) dnl
gen_require(`
type slrnpull_spool_t;
')
files_search_spool($1)
allow $1 slrnpull_spool_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `slrnpull_search_spool'($*)) dnl
')
########################################
##
## Allow the domain to create, read,
## write, and delete slrnpull spools.
##
##
##
## domain allowed access
##
##
#
define(`slrnpull_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `slrnpull_manage_spool'($*)) dnl
gen_require(`
type slrnpull_spool_t;
')
files_search_spool($1)
allow $1 slrnpull_spool_t:dir create_dir_perms;
allow $1 slrnpull_spool_t:file create_file_perms;
allow $1 slrnpull_spool_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `slrnpull_manage_spool'($*)) dnl
')
## Smart disk monitoring daemon policy
#######################################
##
## Allow caller to read smartmon temporary files.
##
##
##
## The process type reading the temporary files.
##
##
#
define(`smartmon_read_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `smartmon_read_tmp_files'($*)) dnl
gen_require(`
type fsdaemon_tmp_t;
')
allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `smartmon_read_tmp_files'($*)) dnl
')
## Simple network management protocol services
########################################
##
## Use snmp over a TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `snmp_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `snmp_tcp_connect'($*)) dnl
')
########################################
##
## Send and receive UDP traffic to SNMP (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_udp_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `snmp_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `snmp_udp_chat'($*)) dnl
')
########################################
##
## Read snmpd libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_read_snmp_var_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
allow $1 snmpd_var_lib_t:dir r_dir_perms;
allow $1 snmpd_var_lib_t:file r_file_perms;
allow $1 snmpd_var_lib_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_files'($*)) dnl
')
########################################
##
## dontaudit Read snmpd libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_dontaudit_read_snmp_var_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
dontaudit $1 snmpd_var_lib_t:file r_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl
')
########################################
##
## dontaudit write snmpd libraries files.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_dontaudit_write_snmp_var_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl
')
## Snort network intrusion detection system
## sound server for network audio server programs, nasd, yiff, etc
########################################
##
## Connect to the sound server over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`soundserver_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `soundserver_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `soundserver_tcp_connect'($*)) dnl
')
## Filter used for removing unsolicited email.
#######################################
##
## The per role template for the spamassassin module.
##
##
##
## The per role template for the spamassassin module.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
# cjp: when tunables are available, spamc stuff should be
# toggled on activation of spamc, and similarly for spamd.
define(`spamassassin_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_per_role_template'($*)) dnl
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
type spamc_t, spamd_t, spamassassin_t;
type spamassassin_home_t;
')
##############################
#
# Declarations
#
typealias spamc_t alias $1_spamc_t;
role $3 types spamc_t;
typealias spamassassin_t alias $1_spamassassin_t;
role $3 types spamassassin_t;
manage_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t)
manage_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
manage_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
relabel_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t)
relabel_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
relabel_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
spamassassin_domtrans($2)
spamassassin_domtrans_spamc($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_per_role_template'($*)) dnl
')
########################################
##
## Execute the standalone spamassassin
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec'($*)) dnl
gen_require(`
type spamassassin_exec_t;
')
can_exec($1,spamassassin_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec'($*)) dnl
')
########################################
##
## Singnal the spam assassin daemon
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_signal_spamd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_signal_spamd'($*)) dnl
gen_require(`
type spamd_t;
')
allow $1 spamd_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_signal_spamd'($*)) dnl
')
########################################
##
## Execute the spamassassin daemon
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec_spamd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec_spamd'($*)) dnl
gen_require(`
type spamd_exec_t;
')
can_exec($1,spamd_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec_spamd'($*)) dnl
')
########################################
##
## Execute spamassassin client in the user spamassassin client domain.
##
##
##
## This is a template and should only be called
## from per user domain tempaltes.
##
##
##
##
## The prefix of the user domain. eg user would be the prefix of user_t.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_domtrans_user_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_user_client'($*)) dnl
spamassassin_domtrans_spamc($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_user_client'($*)) dnl
')
########################################
##
## Execute spamassassin client in the spamassassin client domain.
##
##
##
## This is a template and should only be called
## from per user domain tempaltes.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_domtrans_spamc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_spamc'($*)) dnl
gen_require(`
type spamc_t, spamc_exec_t;
')
domtrans_pattern($1,spamc_exec_t,spamc_t)
allow $1 spamc_exec_t:file ioctl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_spamc'($*)) dnl
')
########################################
##
## Read spamassassin per user homedir
##
##
##
## Read spamassassin per user homedir
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_user_home_files'($*)) dnl
gen_require(`
type spamassassin_home_t;
')
allow $1 spamassassin_home_t:dir list_dir_perms;
allow $1 spamassassin_home_t:file read_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_user_home_files'($*)) dnl
')
########################################
##
## Execute the spamassassin client
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec_client'($*)) dnl
gen_require(`
type spamc_exec_t;
')
can_exec($1,spamc_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec_client'($*)) dnl
')
########################################
##
## Execute spamassassin in the user spamassassin domain.
##
##
##
## This is a template and should only be called
## from per user domain tempaltes.
##
##
##
##
## The prefix of the user domain. eg user would be the prefix of user_t.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_domtrans_user_local_client',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_user_local_client'($*)) dnl
spamassassin_domtrans($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_user_local_client'($*)) dnl
')
########################################
##
## Execute spamassassin in the user spamassassin domain.
##
##
##
## This is a template and should only be called
## from per user domain tempaltes.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans'($*)) dnl
gen_require(`
type spamassassin_t, spamassassin_exec_t;
')
domtrans_pattern($1,spamassassin_exec_t,spamassassin_t)
allow $1 spamassassin_exec_t:file ioctl;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans'($*)) dnl
')
########################################
##
## read spamd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_lib_files'($*)) dnl
gen_require(`
type spamd_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## spamd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_manage_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_manage_lib_files'($*)) dnl
gen_require(`
type spamd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_manage_lib_files'($*)) dnl
')
########################################
##
## Read temporary spamd file.
##
##
##
## The type of the process performing this action.
##
##
#
define(`spamassassin_read_spamd_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_spamd_tmp_files'($*)) dnl
gen_require(`
type spamd_tmp_t;
')
allow $1 spamd_tmp_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_spamd_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get attributes of temporary
## spamd sockets/
##
##
##
## Domain to not audit.
##
##
#
define(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl
gen_require(`
type spamd_tmp_t;
')
dontaudit $1 spamd_tmp_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl
')
########################################
##
## Connect to run spamd.
##
##
##
## Domain allowed to connect.
##
##
#
define(`spamd_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamd_stream_connect'($*)) dnl
gen_require(`
type spamd_t, spamd_var_run_t;
')
stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamd_stream_connect'($*)) dnl
')
########################################
##
## Execute spamassassin server in the spamassassin domain.
##
##
##
## The type of the process performing this action.
##
##
#
#
define(`spamassassin_spamd_initrc_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_spamd_initrc_domtrans'($*)) dnl
gen_require(`
type spamd_script_exec_t;
')
init_labeled_script_domtrans($1,spamd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_spamd_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an spamassassin environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the spamassassin domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
define(`spamassassin_spamd_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_spamd_admin'($*)) dnl
gen_require(`
type spamd_t;
type spamd_script_exec_t;
type spamd_tmp_t;
type spamd_log_t;
type spamd_spool_t;
type spamd_var_lib_t;
type spamd_var_run_t;
')
allow $1 spamd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, spamd_t, spamd_t)
# Allow spamd_t to restart the apache service
spamassassin_spamd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 spamd_script_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
manage_all_pattern($1,spamd_tmp_t)
logging_list_logs($1)
manage_all_pattern($1,spamd_log_t)
files_list_spool($1)
manage_all_pattern($1,spamd_spool_t)
files_list_var_lib($1)
manage_all_pattern($1,spamd_var_lib_t)
files_list_pids($1)
manage_all_pattern($1,spamd_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_spamd_admin'($*)) dnl
')
########################################
##
## Read spamassassin per user homedir
##
##
##
## Read spamassassin per user homedir
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_manage_user_home_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_manage_user_home_files'($*)) dnl
gen_require(`
type spamassassin_home_t;
')
manage_files_pattern($1, spamassassin_home_t, spamassassin_home_t)
razor_manage_user_home_files(user,$1)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_manage_user_home_files'($*)) dnl
')
## Alcatel speedtouch USB ADSL modem
## Squid caching http proxy server
########################################
##
## Execute squid in the squid domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`squid_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_domtrans'($*)) dnl
gen_require(`
type squid_t, squid_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,squid_exec_t,squid_t)
allow $1 squid_t:fd use;
allow squid_t $1:fd use;
allow squid_t $1:fifo_file rw_file_perms;
allow squid_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_domtrans'($*)) dnl
')
########################################
##
## Read squid configuration file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_read_config'($*)) dnl
gen_require(`
type squid_conf_t;
')
files_search_etc($1)
allow $1 squid_conf_t:dir search_dir_perms;
allow $1 squid_conf_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_read_config'($*)) dnl
')
########################################
##
## Append squid logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_read_log'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
allow $1 squid_log_t:dir search_dir_perms;
allow $1 squid_log_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_read_log'($*)) dnl
')
########################################
##
## Append squid logs.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_append_log'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
allow $1 squid_log_t:dir search_dir_perms;
allow $1 squid_log_t:file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## squid logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_manage_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_manage_logs'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
allow $1 squid_log_t:dir rw_dir_perms;
allow $1 squid_log_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_manage_logs'($*)) dnl
')
########################################
##
## Use squid services by connecting over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`squid_use',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_use'($*)) dnl
')
########################################
##
## dontaudit search squid cache dirs
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_dontaudit_search_squid_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_dontaudit_search_squid_cache'($*)) dnl
gen_require(`
type squid_cache_t;
')
dontaudit $1 squid_cache_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_dontaudit_search_squid_cache'($*)) dnl
')
########################################
##
## Allow read and write squid
## unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `squid_rw_stream_sockets'($*)) dnl
gen_require(`
type squid_t;
')
allow $1 squid_t:unix_stream_socket { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `squid_rw_stream_sockets'($*)) dnl
')
## Secure shell client and server policy.
#######################################
##
## Basic SSH client template.
##
##
##
## This template creates a derived domains which are used
## for ssh client sessions. A derived
## type is also created to protect the user ssh keys.
##
##
## This template was added for NX.
##
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`ssh_basic_client_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_basic_client_template'($*)) dnl
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t;
ifdef(`strict_policy',`
type sshd_tmp_t;
')
')
##############################
#
# Declarations
#
type $1_ssh_t;
domain_type($1_ssh_t)
domain_entry_file($1_ssh_t,ssh_exec_t)
role $3 types $1_ssh_t;
type $1_home_ssh_t;
files_type($1_home_ssh_t)
##############################
#
# Client local policy
#
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_file_perms;
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_t self:shm create_shm_perms;
allow $1_ssh_t self:sem create_sem_perms;
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket create_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
allow $1_ssh_t $2:unix_stream_socket connectto;
# Read the ssh key file.
allow $1_ssh_t sshd_key_t:file r_file_perms;
# Transition from the domain to the derived domain.
domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
allow $2 $1_ssh_t:fd use;
allow $1_ssh_t $2:fd use;
allow $1_ssh_t $2:fifo_file rw_file_perms;
allow $1_ssh_t $2:process sigchld;
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
# cjp: should probably fix target to be an attribute for ssh servers
# or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
# allow ps to show ssh
allow $2 $1_ssh_t:dir { search getattr read };
allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
allow $2 $1_ssh_t:process getattr;
# user can manage the keys and config
allow $2 $1_home_ssh_t:dir rw_dir_perms;
allow $2 $1_home_ssh_t:file create_file_perms;
allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
allow $2 $1_home_ssh_t:sock_file create_file_perms;
# ssh client can manage the keys and config
allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
# ssh servers can read the user keys and config
allow ssh_server $1_home_ssh_t:dir r_dir_perms;
allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
allow ssh_server $1_home_ssh_t:file r_file_perms;
kernel_read_kernel_sysctls($1_ssh_t)
corenet_non_ipsec_sendrecv($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
dev_read_urand($1_ssh_t)
fs_getattr_all_fs($1_ssh_t)
fs_search_auto_mountpoints($1_ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
corecmd_exec_bin($1_ssh_t)
corecmd_list_sbin($1_ssh_t)
corecmd_read_sbin_symlinks($1_ssh_t)
domain_use_interactive_fds($1_ssh_t)
files_list_home($1_ssh_t)
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
auth_use_nsswitch($1_ssh_t)
libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t)
logging_send_syslog_msg($1_ssh_t)
logging_read_generic_logs($1_ssh_t)
miscfiles_read_localization($1_ssh_t)
seutil_read_config($1_ssh_t)
ifdef(`strict_policy',`
# Access the ssh temporary files.
allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
allow $1_ssh_t sshd_tmp_t:file create_file_perms;
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
')
tunable_policy(`read_default_t',`
files_list_default($1_ssh_t)
files_read_default_files($1_ssh_t)
files_read_default_symlinks($1_ssh_t)
files_read_default_sockets($1_ssh_t)
files_read_default_pipes($1_ssh_t)
')
optional_policy(`
kerberos_use($1_ssh_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_basic_client_template'($*)) dnl
')
#######################################
##
## The per role template for the ssh module.
##
##
##
## This template creates a derived domains which are used
## for ssh client sessions and user ssh agents. A derived
## type is also created to protect the user ssh keys.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`ssh_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_per_role_template'($*)) dnl
gen_require(`
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
##############################
#
# Declarations
#
ssh_basic_client_template($1,$2,$3)
userdom_user_home_content($1,$1_home_ssh_t)
type $1_ssh_agent_t;
domain_type($1_ssh_agent_t)
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
role $3 types $1_ssh_agent_t;
domain_interactive_fd($1_ssh_agent_t)
type $1_ssh_agent_tmp_t;
files_tmp_file($1_ssh_agent_tmp_t)
type $1_ssh_keysign_t;
domain_type($1_ssh_keysign_t)
domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
role $3 types $1_ssh_keysign_t;
type $1_ssh_tmpfs_t;
files_tmpfs_file($1_ssh_tmpfs_t)
##############################
#
# Client local policy
#
allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write;
allow $1_ssh_t $1_ssh_agent_tmp_t:dir search;
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
allow $1_t $1_ssh_t:process signal;
# needs to read krb tgt
userdom_read_user_tmp_files($1, $1_ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t $1_ssh_t:fd use;
allow $1_ssh_keysign_t $1_ssh_t:process sigchld;
allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_ssh_t)
fs_manage_nfs_files($1_ssh_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_ssh_t)
fs_manage_cifs_files($1_ssh_t)
')
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port($1_ssh_t)
')
optional_policy(`
xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1,$1_ssh_t)
')
ifdef(`TODO',`
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
') dnl endif TODO
##############################
#
# $1_ssh_agent_t local policy
#
allow $1_ssh_agent_t self:process setrlimit;
allow $1_ssh_agent_t self:capability setgid;
allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file })
# for ssh-add
allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
allow $2 $1_ssh_agent_tmp_t:sock_file write;
# Allow the user shell to signal the ssh program.
allow $2 $1_ssh_agent_t:process signal;
# allow ps to show ssh
allow $2 $1_ssh_agent_t:dir { search getattr read };
allow $2 $1_ssh_agent_t:{ file lnk_file } { read getattr };
allow $2 $1_ssh_agent_t:process getattr;
domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
allow $2 $1_ssh_agent_t:fd use;
allow $1_ssh_agent_t $2:fd use;
allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
allow $1_ssh_agent_t $2:process sigchld;
kernel_read_kernel_sysctls($1_ssh_agent_t)
dev_read_urand($1_ssh_agent_t)
dev_read_rand($1_ssh_agent_t)
fs_search_auto_mountpoints($1_ssh_agent_t)
# transition back to normal privs upon exec
corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
domain_use_interactive_fds($1_ssh_agent_t)
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
libs_use_ld_so($1_ssh_agent_t)
libs_use_shared_libs($1_ssh_agent_t)
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_agent_t)
# for the transition back to normal privs upon exec
userdom_user_home_domtrans($1,$1_ssh_agent_t,$2)
allow $2 $1_ssh_agent_t:fd use;
allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
allow $2 $1_ssh_agent_t:process sigchld;
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
# transition back to normal privs upon exec
fs_nfs_domtrans($1_ssh_agent_t, $1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_ssh_agent_t)
# transition back to normal privs upon exec
fs_cifs_domtrans($1_ssh_agent_t, $1_t)
')
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
')
ifdef(`TODO',`
ifdef(`xdm.te',`
can_pipe_xdm($1_ssh_agent_t)
')
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
') dnl endif TODO
##############################
#
# $1_ssh_keysign_t local policy
#
tunable_policy(`allow_ssh_keysign',`
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand($1_ssh_keysign_t)
files_read_etc_files($1_ssh_keysign_t)
libs_use_ld_so($1_ssh_keysign_t)
libs_use_shared_libs($1_ssh_keysign_t)
')
optional_policy(`
tunable_policy(`allow_ssh_keysign',`
nscd_socket_use($1_ssh_keysign_t)
')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_per_role_template'($*)) dnl
')
#######################################
##
## The template to define a ssh server.
##
##
##
## This template creates a domains to be used for
## creating a ssh server. This is typically done
## to have multiple ssh servers of different sensitivities,
## such as for an internal network-facing ssh server, and
## a external network-facing ssh server.
##
##
##
##
## The prefix of the server domain (e.g., sshd
## is the prefix for sshd_t).
##
##
#
define(`ssh_server_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_server_template'($*)) dnl
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
type $1_devpts_t;
term_login_pty($1_devpts_t)
type $1_var_run_t;
files_pid_file($1_var_run_t)
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_var_run_t:file create_file_perms;
files_pid_filetrans($1_t,$1_var_run_t,file)
can_exec($1_t, sshd_exec_t)
# Access key files
allow $1_t sshd_key_t:file { getattr read };
kernel_read_kernel_sysctls($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
fs_dontaudit_getattr_all_fs($1_t)
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
corecmd_read_bin_symlinks($1_t)
corecmd_getattr_bin_files($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
logging_search_logs($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files($1_t)
')
# cjp: commenting out until typeattribute works in conditional
# and require block in optional else is resolved
#optional_policy(`
# tunable_policy(`run_ssh_inetd',`
# allow $1_t self:process signal;
# files_list_pids($1_t)
# ',`
# corenet_tcp_bind_ssh_port($1_t)
# init_use_fds($1_t)
# init_use_script_ptys($1_t)
# ')
#',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
corenet_tcp_bind_ssh_port($1_t)
init_use_fds($1_t)
init_use_script_ptys($1_t)
#')
optional_policy(`
kerberos_use($1_t)
kerberos_manage_host_rcache($1_t)
')
optional_policy(`
nscd_socket_use($1_t)
')
optional_policy(`
nx_spec_domtrans_server($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_server_template'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the ssh server.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_sigchld'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_sigchld'($*)) dnl
')
########################################
##
## Read a ssh server unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_read_pipes'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:fifo_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_read_pipes'($*)) dnl
')
########################################
##
## Read and write ssh server unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_stream_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_stream_sockets'($*)) dnl
')
########################################
##
## Read and write ssh server TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_tcp_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## ssh server TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_dontaudit_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
dontaudit $1 sshd_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Connect to SSH daemons over TCP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_tcp_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_tcp_connect'($*)) dnl
')
########################################
##
## Execute the ssh client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_exec'($*)) dnl
gen_require(`
type ssh_exec_t;
')
corecmd_search_bin($1)
can_exec($1,ssh_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_exec'($*)) dnl
')
########################################
##
## Execute the ssh key generator in the ssh keygen domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_domtrans_keygen',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_domtrans_keygen'($*)) dnl
gen_require(`
type ssh_keygen_t, ssh_keygen_exec_t;
')
domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t)
allow ssh_keygen_t $1:fd use;
allow ssh_keygen_t $1:fifo_file rw_file_perms;
allow ssh_keygen_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_domtrans_keygen'($*)) dnl
')
########################################
##
## Read ssh server keys
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_dontaudit_read_server_keys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_read_server_keys'($*)) dnl
gen_require(`
type sshd_key_t;
')
dontaudit $1 sshd_key_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_read_server_keys'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor
## from the ssh-agent.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_use_user_ssh_agent_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_use_user_ssh_agent_fds'($*)) dnl
gen_require(`
type $1_ssh_agent_t;
')
allow $2 $1_ssh_agent_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_use_user_ssh_agent_fds'($*)) dnl
')
########################################
##
## dontaudit use of file descriptor
## from the ssh-agent.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_dontaudit_use_user_ssh_agent_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_use_user_ssh_agent_fds'($*)) dnl
gen_require(`
type $1_ssh_agent_t;
')
dontaudit $2 $1_ssh_agent_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_use_user_ssh_agent_fds'($*)) dnl
')
########################################
##
## Execute the ssh daemon sshd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_domtrans'($*)) dnl
gen_require(`
type sshd_t, sshd_exec_t;
')
domain_auto_trans($1,sshd_exec_t,sshd_t)
allow sshd_t $1:fd use;
allow sshd_t $1:fifo_file rw_file_perms;
allow sshd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_domtrans'($*)) dnl
')
########################################
##
## Read ssh server keys
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_setattr_server_keys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ssh_setattr_server_keys'($*)) dnl
gen_require(`
type sshd_key_t;
')
allow $1 sshd_key_t:file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ssh_setattr_server_keys'($*)) dnl
')
## SSL Tunneling Proxy
########################################
##
## Define the specified domain as a stunnel inetd service.
##
##
##
## The type associated with the stunnel inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`stunnel_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `stunnel_service_domain'($*)) dnl
gen_require(`
type stunnel_t;
')
domtrans_pattern(stunnel_t,$2,$1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `stunnel_service_domain'($*)) dnl
')
## Policy for sysstat. Reports on various system states
########################################
##
## Manage sysstat logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysstat_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysstat_manage_log'($*)) dnl
gen_require(`
type sysstat_log_t;
')
logging_search_logs($1)
allow $1 sysstat_log_t:dir rw_dir_perms;
allow $1 sysstat_log_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysstat_manage_log'($*)) dnl
')
## Policy for TCP daemon.
########################################
##
## Execute tcpd in the tcpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`tcpd_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tcpd_domtrans'($*)) dnl
gen_require(`
type tcpd_t, tcpd_exec_t;
')
domain_auto_trans($1,tcpd_exec_t,tcpd_t)
allow $1 tcpd_t:fd use;
allow tcpd_t $1:fd use;
allow tcpd_t $1:fifo_file rw_file_perms;
allow tcpd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tcpd_domtrans'($*)) dnl
')
## Telnet daemon
## Trivial file transfer protocol daemon
## MIDI to WAV converter and player configured as a service
## TOR, the onion router
########################################
##
## Execute a domain transition to run TOR.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tor_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tor_domtrans'($*)) dnl
gen_require(`
type tor_t, tor_exec_t;
')
domain_auto_trans($1,tor_exec_t,tor_t)
allow $1 tor_t:fd use;
allow tor_t $1:fd use;
allow tor_t $1:fifo_file rw_file_perms;
allow tor_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tor_domtrans'($*)) dnl
')
## HTTP transperant proxy
## ucspitcp policy
##
##
## Policy for DJB's ucspi-tcpd
##
##
########################################
##
## Define a specified domain as a ucspitcp service.
##
##
##
## Domain allowed access.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`ucspitcp_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ucspitcp_service_domain'($*)) dnl
gen_require(`
type ucspitcp_t;
role system_r;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domain_auto_trans(ucspitcp_t, $2, $1)
allow $1 ucspitcp_t:fd use;
allow $1 ucspitcp_t:process sigchld;
allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ucspitcp_service_domain'($*)) dnl
')
## Uptime daemon
## Unix to Unix Copy
########################################
##
## Execute the master uux program in the
## uux_t domain.
##
##
##
## Domain allowed access.
##
##
#
define(`uucp_domtrans_uux',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uucp_domtrans_uux'($*)) dnl
gen_require(`
type uux_t, uux_exec_t;
')
domain_auto_trans($1,uux_exec_t,uux_t)
allow $1 uux_t:fd use;
allow uux_t $1:fd use;
allow uux_t $1:fifo_file rw_file_perms;
allow uux_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uucp_domtrans_uux'($*)) dnl
')
########################################
##
## Create, read, write, and delete uucp spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`uucp_manage_spool',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uucp_manage_spool'($*)) dnl
gen_require(`
type uucpd_spool_t;
')
files_search_spool($1)
allow $1 uucpd_spool_t:dir manage_dir_perms;
allow $1 uucpd_spool_t:lnk_file create_lnk_perms;
allow $1 uucpd_spool_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uucp_manage_spool'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to uucp log files.
##
##
##
## Domain allowed access.
##
##
#
define(`uucp_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uucp_append_log'($*)) dnl
gen_require(`
type uucpd_log_t;
')
logging_search_logs($1)
allow $1 uucpd_log_t:dir r_dir_perms;
allow $1 uucpd_log_t:file { append getattr }
;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uucp_append_log'($*)) dnl
')
## University of Washington IMAP toolkit POP3 and IMAP mail server
########################################
##
## Execute the UW IMAP/POP3 servers with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`uwimap_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `uwimap_domtrans'($*)) dnl
gen_require(`
type imapd_t, imapd_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,imapd_exec_t,imapd_t)
allow $1 imapd_t:fd use;
allow imapd_t $1:fd use;
allow imapd_t $1:fifo_file rw_file_perms;
allow imapd_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `uwimap_domtrans'($*)) dnl
')
## Libvirt virtualization API
########################################
##
## Execute a domain transition to run virt.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_domtrans'($*)) dnl
gen_require(`
type virtd_t, virtd_exec_t;
')
domtrans_pattern($1, virtd_exec_t, virtd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_domtrans'($*)) dnl
')
########################################
##
## Read virt config files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_read_config'($*)) dnl
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_read_config'($*)) dnl
')
########################################
##
## manage virt config files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_config'($*)) dnl
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_config'($*)) dnl
')
########################################
##
## Read virt PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_read_pid_files'($*)) dnl
gen_require(`
type virt_var_run_t;
')
files_search_pids($1)
allow $1 virt_var_run_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_read_pid_files'($*)) dnl
')
########################################
##
## Manage virt pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_pid_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_pid_files'($*)) dnl
gen_require(`
type virt_var_run_t;
')
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_pid_files'($*)) dnl
')
########################################
##
## Execute virt server in the virt domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`virtd_initrc_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virtd_initrc_domtrans'($*)) dnl
gen_require(`
type virtd_initrc_exec_t;
')
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virtd_initrc_domtrans'($*)) dnl
')
########################################
##
## Search virt lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_search_lib'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
allow $1 virt_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_search_lib'($*)) dnl
')
########################################
##
## Read virt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_read_lib_files'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## virt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_lib_files'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_lib_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read virt's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`virt_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_read_log'($*)) dnl
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
read_files_pattern($1, virt_log_t, virt_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## virt log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_append_log'($*)) dnl
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
append_files_pattern($1, virt_log_t, virt_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_append_log'($*)) dnl
')
########################################
##
## Allow domain to manage virt log files
##
##
##
## Domain to not audit.
##
##
#
define(`virt_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_log'($*)) dnl
gen_require(`
type virt_log_t;
')
manage_dirs_pattern($1, virt_log_t, virt_log_t)
manage_files_pattern($1, virt_log_t, virt_log_t)
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_log'($*)) dnl
')
########################################
##
## Make the specified type usable as a virt image
##
##
##
## Make the specified type usable as a virt image
##
##
##
##
## Type to be used as a virtual image
##
##
#
#
define(`virt_image',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_image'($*)) dnl
gen_require(`
attribute virt_image_type;
')
typeattribute $1 virt_image_type;
files_type($1)
# virt images can be assigned to blk devices
dev_node($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_image'($*)) dnl
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain to not audit.
##
##
#
define(`virt_manage_images',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_images'($*)) dnl
gen_require(`
type virt_image_t, virt_var_lib_t;
')
virt_search_lib($1)
allow $1 virt_image_t:dir list_dir_perms;
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
rw_blk_files_pattern($1, virt_image_t, virt_image_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_images'($*)) dnl
')
#######################################
##
## Connect to virt over an unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_stream_connect'($*)) dnl
gen_require(`
type virtd_t, virt_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1,virt_var_run_t,virt_var_run_t,virtd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an virt environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`virt_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `virt_admin'($*)) dnl
gen_require(`
type virtd_t;
type virtd_initrc_exec_t;
')
allow $1 virtd_t:process { ptrace signal_perms };
ps_process_pattern($1, virtd_t)
virtd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
virt_manage_pid_files($1)
virt_manage_lib_files($1)
virt_manage_log($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `virt_admin'($*)) dnl
')
## Software watchdog
## X Windows Font Server
########################################
##
## Read a X font server named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_read_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xfs_read_sockets'($*)) dnl
gen_require(`
type xfs_tmp_t;
')
files_search_tmp($1)
allow $1 xfs_tmp_t:dir search;
allow $1 xfs_tmp_t:sock_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xfs_read_sockets'($*)) dnl
')
########################################
##
## Connect to a X font server over
## a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xfs_stream_connect'($*)) dnl
gen_require(`
type xfs_tmp_t, xfs_t;
')
files_search_tmp($1)
allow $1 xfs_tmp_t:dir search;
allow $1 xfs_tmp_t:sock_file write;
allow $1 xfs_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xfs_stream_connect'($*)) dnl
')
########################################
##
## Allow the specified domain to execute xfs
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xfs_exec'($*)) dnl
gen_require(`
type xfs_exec_t;
')
can_exec($1,xfs_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xfs_exec'($*)) dnl
')
## X print server
## X Windows Server
#######################################
##
## Template to create types and rules common to
## all X server domains.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`xserver_common_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_common_domain_template'($*)) dnl
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
')
##############################
#
# Declarations
#
type $1_xserver_t;
domain_type($1_xserver_t)
domain_entry_file($1_xserver_t,xserver_exec_t)
type $1_xserver_tmp_t;
files_tmp_file($1_xserver_tmp_t)
type $1_xserver_tmpfs_t;
files_tmpfs_file($1_xserver_tmpfs_t)
##############################
#
# $1_xserver_t local policy
#
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
# admin of APM bios?
# sys_nice is so that the X server can set a negative nice value
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:fd use;
allow $1_xserver_t self:fifo_file rw_fifo_file_perms;
allow $1_xserver_t self:sock_file read_sock_file_perms;
allow $1_xserver_t self:shm create_shm_perms;
allow $1_xserver_t self:sem create_sem_perms;
allow $1_xserver_t self:msgq create_msgq_perms;
allow $1_xserver_t self:msg { send receive };
allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
manage_dirs_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
manage_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
manage_sock_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
filetrans_pattern($1_xserver_t,xdm_xserver_tmp_t,$1_xserver_tmp_t,sock_file)
manage_dirs_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
manage_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
manage_lnk_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
manage_fifo_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
manage_sock_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t)
manage_lnk_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t)
files_search_var_lib($1_xserver_t)
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
logging_log_filetrans($1_xserver_t,xserver_log_t,file)
kernel_read_system_state($1_xserver_t)
kernel_read_device_sysctls($1_xserver_t)
kernel_read_modprobe_sysctls($1_xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls($1_xserver_t)
kernel_write_proc_files($1_xserver_t)
# Run helper programs in $1_xserver_t.
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
corenet_all_recvfrom_unlabeled($1_xserver_t)
corenet_all_recvfrom_netlabel($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
corenet_tcp_sendrecv_all_nodes($1_xserver_t)
corenet_udp_sendrecv_all_nodes($1_xserver_t)
corenet_tcp_sendrecv_all_ports($1_xserver_t)
corenet_udp_sendrecv_all_ports($1_xserver_t)
corenet_tcp_bind_all_nodes($1_xserver_t)
corenet_tcp_bind_xserver_port($1_xserver_t)
corenet_tcp_connect_all_ports($1_xserver_t)
corenet_sendrecv_xserver_server_packets($1_xserver_t)
corenet_sendrecv_all_client_packets($1_xserver_t)
dev_rw_sysfs($1_xserver_t)
dev_rw_mouse($1_xserver_t)
dev_rw_mtrr($1_xserver_t)
dev_rw_apm_bios($1_xserver_t)
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
dev_manage_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
dev_setattr_xserver_misc_dev($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
dev_read_urand($1_xserver_t)
dev_rw_generic_usb_dev($1_xserver_t)
dev_rw_generic_usb_pipes($1_xserver_t)
domain_mmap_low_type($1_xserver_t)
domain_mmap_low($1_xserver_t)
domain_read_all_domains_state($1_xserver_t)
domain_dontaudit_ptrace_all_domains($1_xserver_t)
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
files_read_usr_files($1_xserver_t)
# brought on by rhgb
files_search_mnt($1_xserver_t)
# for nscd
files_dontaudit_search_pids($1_xserver_t)
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
fs_manage_ramfs_files($1_xserver_t)
fs_list_inotifyfs($1_xserver_t)
init_getpgid($1_xserver_t)
term_search_ptys($1_xserver_t)
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
libs_use_ld_so($1_xserver_t)
libs_use_shared_libs($1_xserver_t)
logging_send_syslog_msg($1_xserver_t)
miscfiles_read_localization($1_xserver_t)
miscfiles_read_fonts($1_xserver_t)
modutils_domtrans_insmod($1_xserver_t)
seutil_dontaudit_search_config($1_xserver_t)
sysnet_read_config($1_xserver_t)
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
ifdef(`distro_rhel4',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
optional_policy(`
apm_stream_connect($1_xserver_t)
')
optional_policy(`
auth_search_pam_console_data($1_xserver_t)
')
auth_use_nsswitch($1_xserver_t)
optional_policy(`
rhgb_getpgid($1_xserver_t)
rhgb_signal($1_xserver_t)
')
optional_policy(`
xfs_stream_connect($1_xserver_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_common_domain_template'($*)) dnl
')
#######################################
##
## The per role template for the xserver module.
##
##
##
## Define a derived domain for the X server when executed
## by a user domain (e.g. via startx). See the xdm module
## if using an X Display Manager.
##
##
## This is invoked automatically for each user and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`xserver_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_per_role_template'($*)) dnl
gen_require(`
type iceauth_exec_t, xauth_exec_t;
attribute fonts_type, fonts_cache_type, fonts_config_type;
')
##############################
#
# Declarations
#
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
type $1_fonts_t, fonts_type;
userdom_user_home_content($1,$1_fonts_t)
type $1_fonts_cache_t, fonts_cache_type;
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
userdom_user_home_content($1,$1_fonts_config_t)
type $1_iceauth_t;
domain_type($1_iceauth_t)
domain_entry_file($1_iceauth_t,iceauth_exec_t)
role $3 types $1_iceauth_t;
type $1_iceauth_home_t alias $1_iceauth_rw_t;
files_poly_member($1_iceauth_home_t)
userdom_user_home_content($1,$1_iceauth_home_t)
type $1_xauth_t;
domain_type($1_xauth_t)
domain_entry_file($1_xauth_t,xauth_exec_t)
role $3 types $1_xauth_t;
type $1_xauth_home_t alias $1_xauth_rw_t;
files_poly_member($1_xauth_home_t)
userdom_user_home_content($1,$1_xauth_home_t)
type $1_xauth_tmp_t;
files_tmp_file($1_xauth_tmp_t)
##############################
#
# $1_xserver_t Local policy
#
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
allow xdm_t $1_xauth_home_t:file append_file_perms;
read_files_pattern($1_xserver_t, $2, $2)
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
allow $1_xserver_t $2:shm rw_shm_perms;
# Certain X Libraries want to read /proc/self/cmdline when started with startx
allow $1_xserver_t $2:file r_file_perms;
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
relabel_files_pattern($2,$1_fonts_t,$1_fonts_t)
manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
# For startup relabel
allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
# Communicate via System V shared memory.
allow $1_xserver_t $2:shm rw_shm_perms;
allow $2 $1_xserver_t:shm rw_shm_perms;
getty_use_fds($1_xserver_t)
locallogin_use_fds($1_xserver_t)
userdom_search_user_home_dirs($1,$1_xserver_t)
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
userdom_rw_user_tmp_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
optional_policy(`
userhelper_search_config($1_xserver_t)
')
##############################
#
# $1_xauth_t Local policy
#
allow $1_xauth_t self:process signal;
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
allow $2 $1_xauth_t:process signal;
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
files_search_pids($1_xauth_t)
fs_getattr_xattr_fs($1_xauth_t)
fs_search_auto_mountpoints($1_xauth_t)
# cjp: why?
term_use_ptmx($1_xauth_t)
libs_use_ld_so($1_xauth_t)
libs_use_shared_libs($1_xauth_t)
sysnet_dns_name_resolve($1_xauth_t)
userdom_use_user_terminals($1,$1_xauth_t)
userdom_read_user_tmp_files($1,$1_xauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_xauth_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_xauth_t)
')
optional_policy(`
xserver_read_user_xauth($1, $2)
')
optional_policy(`
xserver_read_user_iceauth($1, $2)
')
optional_policy(`
nis_use_ypbind($1_xauth_t)
')
optional_policy(`
ssh_sigchld($1_xauth_t)
ssh_read_pipes($1_xauth_t)
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
')
##############################
#
# $1_iceauth_t Local policy
#
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
# allow ps to show iceauth
ps_process_pattern($2,$1_iceauth_t)
allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
allow xdm_t $1_iceauth_home_t:file r_file_perms;
fs_search_auto_mountpoints($1_iceauth_t)
libs_use_ld_so($1_iceauth_t)
libs_use_shared_libs($1_iceauth_t)
userdom_use_user_terminals($1,$1_iceauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_iceauth_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_iceauth_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_per_role_template'($*)) dnl
')
#######################################
##
## Template for creating sessions on a
## prefix X server, with read-only
## access to the X server shared
## memory segments.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_ro_session_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_ro_session_template'($*)) dnl
gen_require(`
type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
')
# Xserver read/write client shm
allow $1_xserver_t $2:fd use;
allow $1_xserver_t $2:shm rw_shm_perms;
allow $1_xserver_t $3:file rw_file_perms;
# Connect to xserver
allow $2 $1_xserver_t:unix_stream_socket connectto;
allow $2 $1_xserver_t:process signal;
# Read /tmp/.X0-lock
allow $2 $1_xserver_tmp_t:file { getattr read };
# Client read xserver shm
allow $2 $1_xserver_t:fd use;
allow $2 $1_xserver_t:shm r_shm_perms;
allow $2 $1_xserver_tmpfs_t:file read_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_ro_session_template'($*)) dnl
')
#######################################
##
## Template for creating sessions on a
## prefix X server, with read and write
## access to the X server shared
## memory segments.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_rw_session_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_session_template'($*)) dnl
gen_require(`
type $1_xserver_t, $1_xserver_tmpfs_t;
')
xserver_ro_session_template($1,$2,$3)
allow $2 $1_xserver_t:shm rw_shm_perms;
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_session_template'($*)) dnl
')
#######################################
##
## Template for creating full client sessions
## on a user X server.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_user_client_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_user_client_template'($*)) dnl
gen_require(`
type xdm_t, xdm_tmp_t, xdm_xserver_t;
')
allow $2 $2:shm create_shm_perms;
allow $2 $2:unix_dgram_socket create_socket_perms;
allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
# this should cause the .xsession-errors file to be written to /tmp
dontaudit xdm_t $1_home_t:file rw_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_tmp_t:dir search;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
corenet_tcp_connect_xserver_port($2)
# Allow connections to X server.
files_search_tmp($2)
miscfiles_read_fonts($2)
userdom_search_user_home_dirs($1,$2)
userdom_manage_user_home_content_dirs($1, xdm_t)
userdom_manage_user_home_content_files($1, xdm_t)
userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
userdom_manage_user_tmp_dirs($1, xdm_t)
userdom_manage_user_tmp_files($1, xdm_t)
xserver_ro_session_template(xdm,$2,$3)
xserver_read_xdm_tmp_files($2)
xserver_xdm_stream_connect($2)
read_files_pattern(xdm_xserver_t, $2, $2)
optional_policy(`
userdom_read_all_users_home_content_files(xdm_t)
userdom_read_all_users_home_content_files(xdm_xserver_t)
userdom_rw_user_tmpfs_files($1, xdm_xserver_t)
#Compiler is broken so these wont work
gnome_read_user_gnome_config($1, xdm_t)
gnome_read_user_gnome_config($1, xdm_xserver_t)
')
# Read .Xauthority file
optional_policy(`
xserver_read_user_xauth($1, $2)
')
optional_policy(`
xserver_read_user_iceauth($1, $2)
')
optional_policy(`
xserver_use_user_fonts($1,$2)
')
optional_policy(`
xserver_rw_session_template($1,$2,$3)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_user_client_template'($*)) dnl
')
########################################
##
## Read user fonts, user font configuration,
## and manage the user font cache.
##
##
##
## Read user fonts, user font configuration,
## and manage the user font cache.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_user_fonts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_user_fonts'($*)) dnl
gen_require(`
type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
')
# Read per user fonts
allow $2 $1_fonts_t:dir list_dir_perms;
allow $2 $1_fonts_t:file read_file_perms;
# Manipulate the global font cache
manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
# Read per user font config
allow $2 $1_fonts_config_t:dir list_dir_perms;
allow $2 $1_fonts_config_t:file read_file_perms;
userdom_search_user_home_dirs($1,$2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_user_fonts'($*)) dnl
')
########################################
##
## Get the attributes of xauth executable
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_getattr_xauth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_getattr_xauth'($*)) dnl
gen_require(`
type xauth_exec_t;
')
allow $1 xauth_exec_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_getattr_xauth'($*)) dnl
')
########################################
##
## Transition to a user Xauthority domain.
##
##
##
## Transition to a user Xauthority domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_domtrans_user_xauth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_domtrans_user_xauth'($*)) dnl
gen_require(`
type $1_xauth_t, xauth_exec_t;
')
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_domtrans_user_xauth'($*)) dnl
')
########################################
##
## Read a user Xauthority domain.
##
##
##
## read to a user Xauthority domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_user_xauth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_user_xauth'($*)) dnl
gen_require(`
type $1_xauth_home_t;
')
allow $2 $1_xauth_home_t:file { getattr read };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_user_xauth'($*)) dnl
')
########################################
##
## Read a user Iceauthority domain.
##
##
##
## read to a user Iceauthority domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_user_iceauth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_user_iceauth'($*)) dnl
gen_require(`
type $1_iceauth_home_t;
')
# Read .Iceauthority file
allow $2 $1_iceauth_home_t:file { getattr read };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_user_iceauth'($*)) dnl
')
########################################
##
## Transition to a user Xauthority domain.
##
##
##
## Transition to a user Xauthority domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_user_home_dir_filetrans_user_xauth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl
gen_require(`
type $1_xauth_home_t;
')
userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl
')
########################################
##
## Read all users fonts, user font configurations,
## and manage all users font caches.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_all_users_fonts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_all_users_fonts'($*)) dnl
gen_require(`
attribute fonts_type, fonts_cache_type, fonts_config_type;
')
# Read per user fonts
allow $1 fonts_type:dir list_dir_perms;
allow $1 fonts_type:file read_file_perms;
# Manipulate the global font cache
manage_dirs_pattern($1,fonts_cache_type,fonts_cache_type)
manage_files_pattern($1,fonts_cache_type,fonts_cache_type)
# Read per user font config
allow $1 fonts_config_type:dir list_dir_perms;
allow $1 fonts_config_type:file read_file_perms;
userdom_search_all_users_home_dirs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_all_users_fonts'($*)) dnl
')
########################################
##
## Set the attributes of the X windows console named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_setattr_console_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_setattr_console_pipes'($*)) dnl
gen_require(`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_setattr_console_pipes'($*)) dnl
')
########################################
##
## Read and write the X windows console named pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_console'($*)) dnl
gen_require(`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_console'($*)) dnl
')
########################################
##
## Use file descriptors for xdm.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_xdm_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_xdm_fds'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_xdm_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## XDM file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_use_xdm_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_use_xdm_fds'($*)) dnl
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_use_xdm_fds'($*)) dnl
')
########################################
##
## Read and write XDM unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_xdm_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_pipes'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:fifo_file { getattr read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## XDM unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_rw_xdm_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_pipes'($*)) dnl
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_pipes'($*)) dnl
')
########################################
##
## Connect to XDM over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_stream_connect_xdm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_stream_connect_xdm'($*)) dnl
gen_require(`
type xdm_t, xdm_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1,xdm_tmp_t,xdm_tmp_t,xdm_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_stream_connect_xdm'($*)) dnl
')
########################################
##
## Read xdm-writable configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_rw_config'($*)) dnl
gen_require(`
type xdm_rw_etc_t;
')
files_search_etc($1)
allow $1 xdm_rw_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_rw_config'($*)) dnl
')
########################################
##
## Set the attributes of XDM temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_setattr_xdm_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_setattr_xdm_tmp_dirs'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:dir setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_setattr_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Create a named socket in a XDM
## temporary directory.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_create_xdm_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_create_xdm_tmp_sockets'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
allow $1 xdm_tmp_t:sock_file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_create_xdm_tmp_sockets'($*)) dnl
')
########################################
##
## dontaudit getattr xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_getattr_tmp_sock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_getattr_tmp_sock'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
dontaudit $1 xdm_tmp_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_getattr_tmp_sock'($*)) dnl
')
########################################
##
## Read XDM pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_pid'($*)) dnl
gen_require(`
type xdm_var_run_t;
')
files_search_pids($1)
allow $1 xdm_var_run_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_pid'($*)) dnl
')
########################################
##
## Read XDM var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_lib_files'($*)) dnl
gen_require(`
type xdm_var_lib_t;
')
allow $1 xdm_var_lib_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_lib_files'($*)) dnl
')
########################################
##
## Execute the X server in the XDM X server domain.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_domtrans_xdm_xserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xdm_xserver'($*)) dnl
gen_require(`
type xdm_xserver_t, xserver_exec_t;
')
allow $1 xdm_xserver_t:process siginh;
domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_domtrans_xdm_xserver'($*)) dnl
')
########################################
##
## Execute xsever in the xdm_xserver domain, and
## allow the specified role the xdm_xserver domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the xdm_xserver domain.
##
##
##
##
## The type of the terminal allow the xdm_xserver domain to use.
##
##
#
define(`xserver_run_xdm_xserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_run_xdm_xserver'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
xserver_domtrans_xdm_xserver($1)
role $2 types xdm_xserver_t;
allow xdm_xserver_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_run_xdm_xserver'($*)) dnl
')
########################################
##
## Make an X session script an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
define(`xserver_xsession_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_xsession_entry_type'($*)) dnl
gen_require(`
type xsession_exec_t;
')
domain_entry_file($1,xsession_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_xsession_entry_type'($*)) dnl
')
########################################
##
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Execute an Xsession in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the shell process.
##
##
#
define(`xserver_xsession_spec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_xsession_spec_domtrans'($*)) dnl
gen_require(`
type xsession_exec_t;
')
domain_trans($1,xsession_exec_t,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_xsession_spec_domtrans'($*)) dnl
')
########################################
##
## Get the attributes of X server logs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_getattr_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_getattr_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_getattr_log'($*)) dnl
')
########################################
##
## Do not audit attempts to write the X server
## log files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_write_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_write_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
dontaudit $1 xserver_log_t:file { append write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_write_log'($*)) dnl
')
########################################
##
## Do not audit attempts to write the X server
## log files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_delete_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_delete_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:dir list_dir_perms;
delete_files_pattern($1,xserver_log_t,xserver_log_t)
delete_fifo_files_pattern($1,xserver_log_t,xserver_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_delete_log'($*)) dnl
')
########################################
##
## Read X keyboard extension libraries.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_read_xkb_libs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xkb_libs'($*)) dnl
gen_require(`
type xkb_var_lib_t;
')
files_search_var_lib($1)
allow $1 xkb_var_lib_t:dir list_dir_perms;
read_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t)
read_lnk_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xkb_libs'($*)) dnl
')
########################################
##
## Read xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_read_xdm_xserver_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_xserver_tmp_files'($*)) dnl
gen_require(`
type xdm_xserver_tmp_t;
')
read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_xserver_tmp_files'($*)) dnl
')
########################################
##
## Read xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_read_xdm_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_tmp_files'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_read_xdm_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
dontaudit $1 xdm_tmp_t:dir search_dir_perms;
dontaudit $1 xdm_tmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl
')
########################################
##
## Read write xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_rw_xdm_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_tmp_files'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete xdm temporary files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_manage_xdm_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_files'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
manage_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_files'($*)) dnl
')
########################################
##
## dontaudit getattr xdm temporary named sockets.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_getattr_xdm_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl
gen_require(`
type xdm_tmp_t;
')
dontaudit $1 xdm_tmp_t:sock_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl
')
########################################
##
## Signal XDM X servers
##
##
##
## Domain to not audit
##
##
#
define(`xserver_signal_xdm_xserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_signal_xdm_xserver'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
allow $1 xdm_xserver_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_signal_xdm_xserver'($*)) dnl
')
########################################
##
## Kill XDM X servers
##
##
##
## Domain to not audit
##
##
#
define(`xserver_kill_xdm_xserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_kill_xdm_xserver'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
allow $1 xdm_xserver_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_kill_xdm_xserver'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write to
## a XDM X server socket.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_xserver_tcp_sockets'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
dontaudit $1 xdm_xserver_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_xserver_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write xdm_xserver
## unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_dontaudit_rw_xdm_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_stream_sockets'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
dontaudit $1 xdm_xserver_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_stream_sockets'($*)) dnl
')
########################################
##
## Connect to xdm_xserver over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_stream_connect_xdm_xserver',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_stream_connect_xdm_xserver'($*)) dnl
gen_require(`
type xdm_xserver_t, xdm_xserver_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_stream_connect_xdm_xserver'($*)) dnl
')
########################################
##
## Sigchld XDM
##
##
##
## Domain to not audit
##
##
#
define(`xserver_xdm_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_sigchld'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_sigchld'($*)) dnl
')
########################################
##
## Connect to apmd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_stream_connect'($*)) dnl
gen_require(`
type xdm_t, xdm_var_run_t;
')
files_search_pids($1)
allow $1 xdm_var_run_t:sock_file write;
allow $1 xdm_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_stream_connect'($*)) dnl
')
########################################
##
## Connect to apmd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_stream_connect'($*)) dnl
gen_require(`
type xdm_xserver_t, xserver_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_stream_connect'($*)) dnl
')
########################################
##
## xdm xserver RW shared memory socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_rw_shm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_rw_shm'($*)) dnl
gen_require(`
type xdm_xserver_t;
')
allow xdm_xserver_t $1:fd use;
allow $1 xdm_xserver_t:shm rw_shm_perms;
allow xdm_xserver_t $1:shm rw_shm_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_rw_shm'($*)) dnl
')
########################################
##
## Execute xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_exec_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_exec_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_exec_pid'($*)) dnl
')
########################################
##
## Read xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_pid'($*)) dnl
')
########################################
##
## Write xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_write_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xserver_write_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xserver_write_pid'($*)) dnl
')
## Zebra border gateway protocol network routing service
########################################
##
## Read the configuration files for zebra.
##
##
##
## Domain allowed access.
##
##
##
#
define(`zebra_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `zebra_read_config'($*)) dnl
gen_require(`
type zebra_conf_t;
')
files_search_etc($1)
allow $1 zebra_conf_t:file r_file_perms;
allow $1 zebra_conf_t:dir r_dir_perms;
allow $1 zebra_conf_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `zebra_read_config'($*)) dnl
')
## policy for z/OS Remote-services Audit dispatcher plugin
########################################
##
## Execute a domain transition to run audispd-zos-remote.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zos_remote_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `zos_remote_domtrans'($*)) dnl
gen_require(`
type zos_remote_t;
type zos_remote_exec_t;
')
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `zos_remote_domtrans'($*)) dnl
')
########################################
##
## Allow specified type and role to transition and
## run in the zos_remote_t domain. Allow specified type
## to use zos_remote_t terminal.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the zos_remote domain.
##
##
##
##
## The type of the role's terminal.
##
##
#
define(`zos_remote_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `zos_remote_run'($*)) dnl
gen_require(`
type zos_remote_t;
')
zos_remote_domtrans($1)
role $2 types zos_remote_t;
dontaudit zos_remote_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `zos_remote_run'($*)) dnl
')
## Policy for user executable applications.
########################################
##
## Make the specified type usable as an application domain.
##
##
##
## Type to be used as a domain type.
##
##
#
define(`application_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `application_type'($*)) dnl
gen_require(`
attribute application_domain_type;
')
typeattribute $1 application_domain_type;
# start with basic domain
domain_type($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `application_type'($*)) dnl
')
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`application_executable_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `application_executable_file'($*)) dnl
gen_require(`
attribute application_exec_type;
')
typeattribute $1 application_exec_type;
corecmd_executable_file($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `application_executable_file'($*)) dnl
')
########################################
##
## Execute application executables in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`application_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `application_exec'($*)) dnl
gen_require(`
attribute application_exec_type;
')
can_exec($1, application_exec_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `application_exec'($*)) dnl
')
########################################
##
## Execute all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`application_exec_all',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `application_exec_all'($*)) dnl
corecmd_dontaudit_exec_all_executables($1)
corecmd_exec_bin($1)
corecmd_exec_shell($1)
corecmd_exec_chroot($1)
application_exec($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `application_exec_all'($*)) dnl
')
########################################
##
## Create a domain which can be started by users
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`application_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `application_domain'($*)) dnl
application_type($1)
application_executable_file($2)
domain_entry_file($1,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `application_domain'($*)) dnl
')
## Common policy for authentication and user login.
#######################################
##
## Common template to create a domain for authentication.
##
##
##
## This template creates a derived domain which is allowed
## to authenticate users by using PAM unix_chkpwd support.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`authlogin_common_auth_domain_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `authlogin_common_auth_domain_template'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
type chkpwd_exec_t, shadow_t;
')
type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr;
logging_send_audit_msgs($1_chkpwd_t)
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
dev_read_rand($1_chkpwd_t)
dev_read_urand($1_chkpwd_t)
files_read_etc_files($1_chkpwd_t)
# for nscd
files_dontaudit_search_var($1_chkpwd_t)
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
auth_use_nsswitch($1_chkpwd_t)
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
seutil_read_config($1_chkpwd_t)
optional_policy(`
kerberos_use($1_chkpwd_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `authlogin_common_auth_domain_template'($*)) dnl
')
#######################################
##
## The per role template for the authlogin module.
##
##
##
## This template creates a derived domain which is allowed
## to authenticate users by using PAM unix_chkpwd support.
## This domain will be used by any programs running in the
## user domain which use PAM to authenticate.
##
##
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`authlogin_per_role_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `authlogin_per_role_template'($*)) dnl
gen_require(`
type system_chkpwd_t, shadow_t, updpwd_t;
')
authlogin_common_auth_domain_template($1)
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
# cjp: is this really needed?
logging_send_audit_msgs($2)
dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain.
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
allow $1_chkpwd_t $2:fd use;
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
allow $1_chkpwd_t $2:process sigchld;
domain_use_interactive_fds($1_chkpwd_t)
seutil_use_newrole_fds($1_chkpwd_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `authlogin_per_role_template'($*)) dnl
')
########################################
##
## Run unix_chkpwd to check a password
## for a user domain.
##
##
##
## Run unix_chkpwd to check a password
## for a user domain.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_user_chk_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_user_chk_passwd'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type system_chkpwd_t, chkpwd_exec_t;
')
domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)
allow $2 system_chkpwd_t:fd use;
allow system_chkpwd_t $2:fd use;
allow system_chkpwd_t $2:fifo_file rw_file_perms;
allow system_chkpwd_t $2:process sigchld;
',`
gen_require(`
type $1_chkpwd_t, chkpwd_exec_t;
')
corecmd_search_bin($2)
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
allow $2 $1_chkpwd_t:fd use;
allow $1_chkpwd_t $2:fd use;
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
allow $1_chkpwd_t $2:process sigchld;
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_user_chk_passwd'($*)) dnl
')
########################################
##
## Make the specified domain used for a login program.
##
##
##
## Domain type used for a login program domain.
##
##
#
define(`auth_login_pgm_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_login_pgm_domain'($*)) dnl
gen_require(`
attribute keyring_type;
type auth_cache_t;
')
domain_type($1)
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
role system_r types $1;
auth_keyring_domain($1)
allow $1 keyring_type:key { search link };
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
files_read_etc_files($1)
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
selinux_compute_create_context($1)
selinux_compute_relabel_context($1)
selinux_compute_user_contexts($1)
mls_file_read_up($1)
mls_file_write_down($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
mls_process_set_level($1)
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
auth_rw_faillog($1)
auth_exec_pam($1)
auth_domtrans_upd_passwd($1)
init_rw_utmp($1)
logging_send_syslog_msg($1)
logging_set_loginuid($1)
logging_send_audit_msgs($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
userdom_set_rlimitnh($1)
optional_policy(`
mount_domtrans($1)
')
optional_policy(`
nis_authenticate($1)
')
optional_policy(`
unconfined_set_rlimitnh($1)
')
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
allow $1 auth_cache_t:dir manage_dir_perms;
allow $1 auth_cache_t:file manage_file_perms;
allow $1 auth_cache_t:sock_file manage_sock_file_perms;
files_var_filetrans($1,auth_cache_t,dir)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_login_pgm_domain'($*)) dnl
')
########################################
##
## Use the login program as an entry point program.
##
##
##
## The type of process using the login program as entry point.
##
##
#
define(`auth_login_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_login_entry_type'($*)) dnl
gen_require(`
type login_exec_t;
')
domain_entry_file($1,login_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_login_entry_type'($*)) dnl
')
########################################
##
## Execute a login_program in the target domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the login_program process.
##
##
#
define(`auth_domtrans_login_program',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_login_program'($*)) dnl
gen_require(`
type login_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,login_exec_t,$2)
allow $2 $1:fd use;
allow $2 $1:fifo_file rw_file_perms;
allow $2 $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_login_program'($*)) dnl
')
########################################
##
## Execute a login_program in the target domain,
## with a range transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the login_program process.
##
##
##
##
## Range of the login program.
##
##
#
define(`auth_ranged_domtrans_login_program',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_ranged_domtrans_login_program'($*)) dnl
gen_require(`
type login_exec_t;
')
auth_domtrans_login_program($1,$2)
ifdef(`enable_mcs',`
range_transition $1 login_exec_t:process $3;
')
ifdef(`enable_mls',`
range_transition $1 login_exec_t:process $3;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_ranged_domtrans_login_program'($*)) dnl
')
########################################
##
## Run unix_chkpwd to check a password.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_chk_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_chk_passwd'($*)) dnl
gen_require(`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
type auth_cache_t;
')
logging_send_audit_msgs($1)
corecmd_search_sbin($1)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
allow system_chkpwd_t $1:fd use;
allow system_chkpwd_t $1:fifo_file rw_file_perms;
allow system_chkpwd_t $1:process sigchld;
allow $1 auth_cache_t:dir search_dir_perms;
dontaudit $1 shadow_t:file { getattr read };
dev_read_rand($1)
dev_read_urand($1)
miscfiles_read_certs($1)
auth_rw_faillog($1)
auth_use_nsswitch($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
optional_policy(`
kerberos_use($1)
kerberos_read_keytab($1)
kerberos_524_connect($1)
')
optional_policy(`
pcscd_read_pub_files($1)
pcscd_stream_connect($1)
')
optional_policy(`
nis_use_ypbind($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
')
auth_domtrans_upd_passwd($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_chk_passwd'($*)) dnl
')
########################################
##
## Run unix_chkpwd to check a password.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_chkpwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_chkpwd'($*)) dnl
gen_require(`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
corecmd_search_sbin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
auth_domtrans_upd_passwd($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_chkpwd'($*)) dnl
')
########################################
##
## Execute chkpwd programs in the chkpwd domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the updpwd domain.
##
##
##
##
## The type of the terminal allow the updpwd domain to use.
##
##
#
define(`auth_run_chk_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_run_chk_passwd'($*)) dnl
gen_require(`
type sysstem_chkpwd_t;
')
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
auth_run_upd_passwd($1, $2, $3)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_run_chk_passwd'($*)) dnl
')
########################################
##
## Get the attributes of the shadow passwords file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_getattr_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_getattr_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_getattr_shadow'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the shadow passwords file.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_getattr_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
dontaudit $1 shadow_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_shadow'($*)) dnl
')
########################################
##
## Read the shadow passwords file (/etc/shadow)
##
##
##
## Domain allowed access.
##
##
#
# cjp: these next three interfaces are split
# since typeattribute does not work in conditionals
# yet, otherwise they should be one interface.
#
define(`auth_read_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_shadow'($*)) dnl
auth_can_read_shadow_passwords($1)
auth_tunable_read_shadow($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_shadow'($*)) dnl
')
########################################
##
## Pass shadow assertion for reading.
##
##
##
## Pass shadow assertion for reading.
## This should only be used with
## auth_tunable_read_shadow(), and
## only exists because typeattribute
## does not work in conditionals.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_can_read_shadow_passwords',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_can_read_shadow_passwords'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
')
typeattribute $1 can_read_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_can_read_shadow_passwords'($*)) dnl
')
########################################
##
## Read the shadow password file.
##
##
##
## Read the shadow password file. This
## should only be used in a conditional;
## it does not pass the reading shadow
## assertion.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_tunable_read_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_tunable_read_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_list_etc($1)
allow $1 shadow_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_tunable_read_shadow'($*)) dnl
')
########################################
##
## Do not audit attempts to read the shadow
## password file (/etc/shadow).
##
##
##
## The type of the domain to not audit.
##
##
#
define(`auth_dontaudit_read_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
dontaudit $1 shadow_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_shadow'($*)) dnl
')
########################################
##
## Read and write the shadow password file (/etc/shadow).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_shadow'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
')
files_list_etc($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_shadow'($*)) dnl
')
########################################
##
## Create, read, write, and delete the shadow
## password file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_shadow'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
')
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_shadow'($*)) dnl
')
#######################################
##
## Automatic transition from etc to shadow.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_etc_filetrans_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_etc_filetrans_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_etc_filetrans($1,shadow_t,file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_etc_filetrans_shadow'($*)) dnl
')
#######################################
##
## Relabel to the shadow
## password file type.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabelto_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_relabelto_shadow'($*)) dnl
gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_relabelto_shadow'($*)) dnl
')
#######################################
##
## Relabel from and to the shadow
## password file type.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_shadow'($*)) dnl
gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file { relabelfrom relabelto };
typeattribute $1 can_relabelto_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_shadow'($*)) dnl
')
#######################################
##
## Append to the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_faillog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_append_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
logging_search_logs($1)
allow $1 faillog_t:file { getattr append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_append_faillog'($*)) dnl
')
########################################
##
## Read and write the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_faillog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
logging_search_logs($1)
allow $1 faillog_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_faillog'($*)) dnl
')
#######################################
##
## Read the last logins log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_read_lastlog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_lastlog'($*)) dnl
')
#######################################
##
## Append only to the last logins log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_lastlog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_append_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { getattr lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_append_lastlog'($*)) dnl
')
#######################################
##
## Read and write to the last logins log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_lastlog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { getattr read write lock setattr };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_lastlog'($*)) dnl
')
########################################
##
## Execute pam programs in the pam domain.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_pam',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam'($*)) dnl
gen_require(`
type pam_t, pam_exec_t;
')
domain_auto_trans($1,pam_exec_t,pam_t)
allow pam_t $1:fd use;
allow pam_t $1:fifo_file rw_file_perms;
allow pam_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_pam'($*)) dnl
')
########################################
##
## Execute pam programs in the PAM domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the PAM domain.
##
##
##
##
## The type of the terminal allow the PAM domain to use.
##
##
#
define(`auth_run_pam',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_run_pam'($*)) dnl
gen_require(`
type pam_t;
')
auth_domtrans_pam($1)
role $2 types pam_t;
allow pam_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_run_pam'($*)) dnl
')
########################################
##
## Execute the pam program.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_exec_pam',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_exec_pam'($*)) dnl
gen_require(`
type pam_exec_t;
')
can_exec($1,pam_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_exec_pam'($*)) dnl
')
########################################
##
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_var_auth',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_var_auth'($*)) dnl
gen_require(`
type var_auth_t;
')
files_search_var($1)
allow $1 var_auth_t:dir manage_dir_perms;
allow $1 var_auth_t:file rw_file_perms;
allow $1 var_auth_t:lnk_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_var_auth'($*)) dnl
')
########################################
##
## Read PAM PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_pam_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir list_dir_perms;
allow $1 pam_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_pam_pid'($*)) dnl
')
#######################################
##
## Do not audit attemps to read PAM PID files.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_read_pam_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
dontaudit $1 pam_var_run_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_pam_pid'($*)) dnl
')
########################################
##
## Delete pam PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_delete_pam_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_delete_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
allow $1 pam_var_run_t:file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_delete_pam_pid'($*)) dnl
')
########################################
##
## Manage pam PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_pam_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_pam_pid'($*)) dnl
')
########################################
##
## Execute pam_console with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_pam_console',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_console'($*)) dnl
gen_require(`
type pam_console_t, pam_console_exec_t;
')
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
allow pam_console_t $1:fd use;
allow pam_console_t $1:fifo_file rw_file_perms;
allow pam_console_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_console'($*)) dnl
')
########################################
##
## Search the contents of the
## pam_console data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_search_pam_console_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_search_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_search_pam_console_data'($*)) dnl
')
########################################
##
## List the contents of the pam_console
## data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_list_pam_console_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_list_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_list_pam_console_data'($*)) dnl
')
########################################
##
## Read pam_console data files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_pam_console_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir list_dir_perms;
allow $1 pam_var_console_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_pam_console_data'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pam_console data files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_pam_console_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir rw_dir_perms;
allow $1 pam_var_console_t:file manage_file_perms;
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_pam_console_data'($*)) dnl
')
#######################################
##
## Delete pam_console data.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_delete_pam_console_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_delete_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_var($1)
files_search_pids($1)
allow $1 pam_var_console_t:dir rw_dir_perms;
allow $1 pam_var_console_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_delete_pam_console_data'($*)) dnl
')
########################################
##
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_dirs_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_dirs_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_read_all_dirs_except($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_dirs_except_shadow'($*)) dnl
')
########################################
##
## Read all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`auth_read_all_files_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_files_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_read_all_files_except($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_files_except_shadow'($*)) dnl
')
########################################
##
## Read all symbolic links on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_symlinks_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_symlinks_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_read_all_symlinks_except($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_symlinks_except_shadow'($*)) dnl
')
########################################
##
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_relabel_all_files_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_all_files_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_relabel_all_files($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_all_files_except_shadow'($*)) dnl
')
########################################
##
## rw all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_rw_all_files_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_all_files_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_rw_all_files($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_all_files_except_shadow'($*)) dnl
')
########################################
##
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## The type of the domain perfoming this action.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_manage_all_files_except_shadow',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_all_files_except_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_manage_all_files($1,$2 -shadow_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_all_files_except_shadow'($*)) dnl
')
########################################
##
## Execute utempter programs in the utempter domain.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_domtrans_utempter',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_utempter'($*)) dnl
gen_require(`
type utempter_t, utempter_exec_t;
')
domain_auto_trans($1,utempter_exec_t,utempter_t)
allow utempter_t $1:fd use;
allow utempter_t $1:fifo_file rw_file_perms;
allow utempter_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_utempter'($*)) dnl
')
########################################
##
## Execute utempter programs in the utempter domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the utempter domain.
##
##
##
##
## The type of the terminal allow the utempter domain to use.
##
##
#
define(`auth_run_utempter',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_run_utempter'($*)) dnl
gen_require(`
type utempter_t;
')
auth_domtrans_utempter($1)
role $2 types utempter_t;
allow utempter_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_run_utempter'($*)) dnl
')
#######################################
##
## Do not audit attemps to execute utempter executable.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_exec_utempter',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_exec_utempter'($*)) dnl
gen_require(`
type utempter_exec_t;
')
dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_exec_utempter'($*)) dnl
')
########################################
##
## Set the attributes of login record files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_setattr_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_setattr_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file setattr;
logging_search_logs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_setattr_login_records'($*)) dnl
')
########################################
##
## Read login records files (/var/log/wtmp).
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_read_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_search_logs($1)
allow $1 wtmp_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_login_records'($*)) dnl
')
########################################
##
## Do not audit attempts to write to
## login records files.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_write_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_write_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
dontaudit $1 wtmp_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_write_login_records'($*)) dnl
')
#######################################
##
## Append to login records (wtmp).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_append_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file { getattr append lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_append_login_records'($*)) dnl
')
#######################################
##
## Write to login records (wtmp).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_write_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_write_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file { write lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_write_login_records'($*)) dnl
')
########################################
##
## Read and write login records.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file rw_file_perms;
logging_search_logs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_login_records'($*)) dnl
')
########################################
##
## Create a login records in the log directory
## using a type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_log_filetrans_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_log_filetrans_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_log_filetrans($1,wtmp_t,file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_log_filetrans_login_records'($*)) dnl
')
########################################
##
## Create, read, write, and delete login
## records files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_login_records',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_login_records'($*)) dnl
')
########################################
##
## Use nsswitch to look up uid-username mappings.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_use_nsswitch',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_use_nsswitch'($*)) dnl
gen_require(`
type var_auth_t;
')
allow $1 self:netlink_route_socket r_netlink_socket_perms;
allow $1 var_auth_t:dir list_dir_perms;
allow $1 var_auth_t:file manage_file_perms;
files_list_var_lib($1)
files_read_etc_files($1)
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
optional_policy(`
kerberos_use($1)
')
optional_policy(`
nis_use_ypbind($1)
')
optional_policy(`
nscd_socket_use($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
')
optional_policy(`
avahi_stream_connect($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_use_nsswitch'($*)) dnl
')
########################################
##
## Unconfined access to the authlogin module.
##
##
##
## Unconfined access to the authlogin module.
##
##
## Currently, this only allows assertions for
## the shadow passwords file (/etc/shadow) to
## be passed. No access is granted yet.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_unconfined'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
')
typeattribute $1 can_read_shadow_passwords;
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_unconfined'($*)) dnl
')
########################################
##
## read login keyrings.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_key'($*)) dnl
gen_require(`
attribute keyring_type;
')
allow $1 keyring_type:key { read search view };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_key'($*)) dnl
')
########################################
##
## search login keyrings.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_search_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_search_key'($*)) dnl
gen_require(`
attribute keyring_type;
')
allow $1 keyring_type:key { search link };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_search_key'($*)) dnl
')
########################################
##
## Make the specified domain a keyring domain
##
##
##
## Domain type used for a login program domain.
##
##
#
define(`auth_keyring_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_keyring_domain'($*)) dnl
gen_require(`
attribute keyring_type;
')
typeattribute $1 keyring_type;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_keyring_domain'($*)) dnl
')
########################################
##
## Execute a domain transition to run unix_update.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_upd_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_upd_passwd'($*)) dnl
gen_require(`
type updpwd_t, updpwd_exec_t;
')
domain_auto_trans($1,updpwd_exec_t,updpwd_t)
allow updpwd_t $1:fd use;
allow updpwd_t $1:fifo_file rw_file_perms;
allow updpwd_t $1:process sigchld;
auth_dontaudit_read_shadow($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_upd_passwd'($*)) dnl
')
########################################
##
## Execute updpwd programs in the updpwd domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the updpwd domain.
##
##
##
##
## The type of the terminal allow the updpwd domain to use.
##
##
#
define(`auth_run_upd_passwd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_run_upd_passwd'($*)) dnl
gen_require(`
type updpwd_t;
')
auth_domtrans_upd_passwd($1)
role $2 types updpwd_t;
allow updpwd_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_run_upd_passwd'($*)) dnl
')
########################################
##
## Execute a domain transition to run unix_update in Read Only Mode.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_upd_passwd_chk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_upd_passwd_chk'($*)) dnl
gen_require(`
type system_chkpwd_t, updpwd_exec_t;
')
domain_auto_trans($1,updpwd_exec_t,system_chkpwd_t)
allow system_chkpwd_t $1:fd use;
allow system_chkpwd_t $1:fifo_file rw_file_perms;
allow system_chkpwd_t $1:process sigchld;
auth_dontaudit_read_shadow($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_upd_passwd_chk'($*)) dnl
')
########################################
##
## Execute updpwd programs in the chkpwd domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the updpwd domain.
##
##
##
##
## The type of the terminal allow the updpwd domain to use.
##
##
#
define(`auth_run_upd_passwd_chk',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_run_upd_passwd_chk'($*)) dnl
gen_require(`
type system_chkpwd_t;
')
auth_domtrans_upd_passwd_chk($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_run_upd_passwd_chk'($*)) dnl
')
########################################
##
## Read authentication cache
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_read_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_read_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
read_files_pattern($1, auth_cache_t, auth_cache_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_read_cache'($*)) dnl
')
########################################
##
## Read/Write authentication cache
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_rw_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
rw_files_pattern($1, auth_cache_t, auth_cache_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_cache'($*)) dnl
')
########################################
##
## Manage authentication cache
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_manage_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
manage_files_pattern($1, auth_cache_t, auth_cache_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_cache'($*)) dnl
')
#######################################
##
## Automatic transition from cache_t to cache.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_filetrans_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `auth_filetrans_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
manage_files_pattern($1, auth_cache_t, auth_cache_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1,auth_cache_t,{ file dir } )
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `auth_filetrans_cache'($*)) dnl
')
## Policy for reading and setting the hardware clock.
########################################
##
## Execute hwclock in the clock domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`clock_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clock_domtrans'($*)) dnl
gen_require(`
type hwclock_t, hwclock_exec_t;
')
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
allow $1 hwclock_t:fd use;
allow hwclock_t $1:fd use;
allow hwclock_t $1:fifo_file rw_file_perms;
allow hwclock_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clock_domtrans'($*)) dnl
')
########################################
##
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the clock domain.
##
##
##
##
## The type of the terminal allow the clock domain to use.
##
##
##
#
define(`clock_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clock_run'($*)) dnl
gen_require(`
type hwclock_t;
')
clock_domtrans($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clock_run'($*)) dnl
')
########################################
##
## Execute hwclock in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`clock_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clock_exec'($*)) dnl
gen_require(`
type hwclock_exec_t;
')
can_exec($1,hwclock_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clock_exec'($*)) dnl
')
########################################
##
## Do not audit attempts to write clock drift adjustments.
##
##
##
## Domain to not audit.
##
##
#
define(`clock_dontaudit_write_adjtime',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clock_dontaudit_write_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
dontaudit $1 adjtime_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clock_dontaudit_write_adjtime'($*)) dnl
')
########################################
##
## Read and write clock drift adjustments.
##
##
##
## Domain allowed access.
##
##
#
define(`clock_rw_adjtime',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `clock_rw_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
allow $1 adjtime_t:file rw_file_perms;
files_list_etc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `clock_rw_adjtime'($*)) dnl
')
## Collection of tools for managing UNIX services
##
##
## Policy for DJB's daemontools
##
##
########################################
##
## An ipc channel between the supervised domain and svc_start_t
##
##
##
## Domain allowed access to svc_start_t.
##
##
#
define(`daemontools_ipc_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_ipc_domain'($*)) dnl
gen_require(`
type svc_start_t;
')
allow $1 svc_start_t:process sigchld;
allow $1 svc_start_t:fd use;
allow $1 svc_start_t:fifo_file { read write getattr };
allow svc_start_t $1:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_ipc_domain'($*)) dnl
')
########################################
##
## Define a specified domain as a supervised service.
##
##
##
## Domain allowed access.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`daemontools_service_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_service_domain'($*)) dnl
gen_require(`
type svc_run_t;
')
domain_auto_trans(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
allow $1 svc_run_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_service_domain'($*)) dnl
')
########################################
##
## Execute in the svc_start_t domain.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_domtrans_start',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_start'($*)) dnl
gen_require(`
type svc_start_t, svc_start_exec_t;
')
domain_auto_trans($1, svc_start_exec_t, svc_start_t)
allow $1 svc_start_t:fd use;
allow svc_start_t $1:fd use;
allow svc_start_t $1:fifo_file rw_file_perms;
allow svc_start_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_start'($*)) dnl
')
########################################
##
## Execute in the svc_run_t domain.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_domtrans_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_run'($*)) dnl
gen_require(`
type svc_run_t, svc_run_exec_t;
')
domain_auto_trans($1, svc_run_exec_t, svc_run_t)
allow $1 svc_run_t:fd use;
allow svc_run_t $1:fd use;
allow svc_run_t $1:fifo_file rw_file_perms;
allow svc_run_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_run'($*)) dnl
')
########################################
##
## Execute in the svc_multilog_t domain.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_domtrans_multilog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_multilog'($*)) dnl
gen_require(`
type svc_multilog_t, svc_multilog_exec_t;
')
domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
allow $1 svc_multilog_t:fd use;
allow svc_multilog_t $1:fd use;
allow svc_multilog_t $1:fifo_file rw_file_perms;
allow svc_multilog_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_multilog'($*)) dnl
')
########################################
##
## Allow a domain to read svc_svc_t files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`daemontools_read_svc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_read_svc'($*)) dnl
gen_require(`
type svc_svc_t;
')
allow $1 svc_svc_t:dir r_dir_perms;
allow $1 svc_svc_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_read_svc'($*)) dnl
')
########################################
##
## Allow a domain to create svc_svc_t files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`daemontools_manage_svc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `daemontools_manage_svc'($*)) dnl
gen_require(`
type svc_svc_t;
')
allow $1 svc_svc_t:dir create_dir_perms;
allow $1 svc_svc_t:fifo_file create_file_perms;
allow $1 svc_svc_t:file create_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `daemontools_manage_svc'($*)) dnl
')
## Tools for filesystem management, such as mkfs and fsck.
########################################
##
## Execute fs tools in the fstools domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`fstools_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_domtrans'($*)) dnl
gen_require(`
type fsadm_t, fsadm_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,fsadm_exec_t,fsadm_t)
allow $1 fsadm_t:fd use;
allow fsadm_t $1:fd use;
allow fsadm_t $1:fifo_file rw_file_perms;
allow fsadm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_domtrans'($*)) dnl
')
########################################
##
## Execute fs tools in the fstools domain, and
## allow the specified role the fs tools domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the fs tools domain.
##
##
##
##
## The type of the terminal allow the fs tools domain to use.
##
##
##
#
define(`fstools_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_run'($*)) dnl
gen_require(`
type fsadm_t;
')
fstools_domtrans($1)
role $2 types fsadm_t;
allow fsadm_t $3:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_run'($*)) dnl
')
########################################
##
## Execute fsadm in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`fstools_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_exec'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
can_exec($1,fsadm_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_exec'($*)) dnl
')
########################################
##
## Relabel a file to the type used by the
## filesystem tools programs.
##
##
##
## The type of the process performing this action.
##
##
#
define(`fstools_relabelto_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_relabelto_entry_files'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
allow $1 fsadm_exec_t:file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_relabelto_entry_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete a file used by the
## filesystem tools programs.
##
##
##
## The type of the process performing this action.
##
##
#
define(`fstools_manage_entry_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_manage_entry_files'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
allow $1 fsadm_exec_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_manage_entry_files'($*)) dnl
')
########################################
##
## Getattr swapfile
##
##
##
## The type of the process performing this action.
##
##
#
define(`fstools_getattr_swap_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_getattr_swap_files'($*)) dnl
gen_require(`
type swapfile_t;
')
allow $1 swapfile_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_getattr_swap_files'($*)) dnl
')
########################################
##
## Read fstools unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `fstools_read_pipes'($*)) dnl
gen_require(`
type fsdaemon_t;
')
allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `fstools_read_pipes'($*)) dnl
')
## Policy for getty.
########################################
##
## Execute gettys in the getty domain.
##
##
##
## Domain allowed access.
##
##
#
define(`getty_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `getty_domtrans'($*)) dnl
gen_require(`
type getty_t, getty_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,getty_exec_t,getty_t)
allow $1 getty_t:fd use;
allow getty_t $1:fd use;
allow getty_t $1:fifo_file rw_file_perms;
allow getty_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `getty_domtrans'($*)) dnl
')
########################################
##
## Inherit and use getty file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`getty_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `getty_use_fds'($*)) dnl
gen_require(`
type getty_t;
')
allow $1 getty_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `getty_use_fds'($*)) dnl
')
########################################
##
## Allow process to read getty log file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_read_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `getty_read_log'($*)) dnl
gen_require(`
type getty_log_t;
')
logging_search_logs($1)
allow $1 getty_log_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `getty_read_log'($*)) dnl
')
########################################
##
## Allow process to read getty config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `getty_read_config'($*)) dnl
gen_require(`
type getty_etc_t;
')
files_search_etc($1)
allow $1 getty_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `getty_read_config'($*)) dnl
')
########################################
##
## Allow process to edit getty config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `getty_rw_config'($*)) dnl
gen_require(`
type getty_etc_t;
')
files_search_etc($1)
allow $1 getty_etc_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `getty_rw_config'($*)) dnl
')
## Policy for changing the system host name.
########################################
##
## Execute hostname in the hostname domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hostname_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hostname_domtrans'($*)) dnl
gen_require(`
type hostname_t, hostname_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,hostname_exec_t,hostname_t)
allow $1 hostname_t:fd use;
allow hostname_t $1:fd use;
allow hostname_t $1:fifo_file rw_file_perms;
allow hostname_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hostname_domtrans'($*)) dnl
')
########################################
##
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the hostname domain.
##
##
##
##
## The type of the terminal allow the hostname domain to use.
##
##
#
define(`hostname_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hostname_run'($*)) dnl
gen_require(`
type hostname_t;
')
hostname_domtrans($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hostname_run'($*)) dnl
')
########################################
##
## Execute hostname in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`hostname_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hostname_exec'($*)) dnl
gen_require(`
type hostname_exec_t;
')
corecmd_search_bin($1)
can_exec($1,hostname_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hostname_exec'($*)) dnl
')
##
## Policy for hotplug system, for supporting the
## connection and disconnection of devices at runtime.
##
########################################
##
## Execute hotplug with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_domtrans'($*)) dnl
gen_require(`
type hotplug_t, hotplug_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,hotplug_exec_t,hotplug_t)
allow $1 hotplug_t:fd use;
allow hotplug_t $1:fd use;
allow hotplug_t $1:fifo_file rw_file_perms;
allow hotplug_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_domtrans'($*)) dnl
')
########################################
##
## Execute hotplug in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_exec'($*)) dnl
gen_require(`
type hotplug_t;
')
corecmd_search_sbin($1)
can_exec($1,hotplug_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_exec'($*)) dnl
')
########################################
##
## Inherit and use hotplug file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_use_fds'($*)) dnl
gen_require(`
type hotplug_t;
')
allow $1 hotplug_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## hotplug file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`hotplug_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_dontaudit_use_fds'($*)) dnl
gen_require(`
type hotplug_t;
')
dontaudit $1 hotplug_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## hotplug configuration directories.
##
##
##
## Domain to not audit.
##
##
#
define(`hotplug_dontaudit_search_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_dontaudit_search_config'($*)) dnl
gen_require(`
type hotplug_etc_t;
')
dontaudit $1 hotplug_etc_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_dontaudit_search_config'($*)) dnl
')
########################################
##
## Get the attributes of the hotplug configuration directory.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_getattr_config_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_getattr_config_dirs'($*)) dnl
gen_require(`
type hotplug_etc_t;
')
allow $1 hotplug_etc_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_getattr_config_dirs'($*)) dnl
')
########################################
##
## Search the hotplug configuration directory.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_search_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_search_config'($*)) dnl
gen_require(`
type hotplug_etc_t;
')
allow $1 hotplug_etc_t:dir { getattr search };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_search_config'($*)) dnl
')
########################################
##
## Read the configuration files for hotplug.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`hotplug_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_read_config'($*)) dnl
gen_require(`
type hotplug_etc_t;
')
files_search_etc($1)
allow $1 hotplug_etc_t:file r_file_perms;
allow $1 hotplug_etc_t:dir r_dir_perms;
allow $1 hotplug_etc_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_read_config'($*)) dnl
')
########################################
##
## Search the hotplug PIDs.
##
##
##
## Domain allowed access.
##
##
#
define(`hotplug_search_pids',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `hotplug_search_pids'($*)) dnl
gen_require(`
type hotplug_var_run_t;
')
allow $1 hotplug_var_run_t:dir search_dir_perms;
files_search_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `hotplug_search_pids'($*)) dnl
')
## System initialization programs (init and init scripts).
########################################
##
## Create a domain which can be started by init.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`init_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_domain'($*)) dnl
gen_require(`
type init_t;
role system_r;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
domain_auto_trans(init_t,$2,$1)
allow $1 init_t:fd use;
allow init_t $1:fd use;
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_domain'($*)) dnl
')
########################################
##
## Create a domain which can be started by init,
## with a range transition.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
define(`init_ranged_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_domain'($*)) dnl
gen_require(`
type init_t;
')
init_domain($1,$2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_domain'($*)) dnl
')
########################################
##
## Create a domain for long running processes
## (daemons) which can be started by init scripts.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`init_daemon_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_daemon_domain'($*)) dnl
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
role system_r;
attribute daemon;
')
typeattribute $1 daemon;
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
ifdef(`direct_sysadm_daemon',`
domain_auto_trans(direct_run_init,$2,$1)
allow direct_run_init $1:fd use;
allow direct_run_init $1:process { noatsecure siginh rlimitinh };
allow $1 direct_run_init:fd use;
allow $1 direct_run_init:fifo_file rw_file_perms;
allow $1 direct_run_init:process sigchld;
typeattribute $1 direct_init;
typeattribute $2 direct_init_entry;
')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(initrc_t,$2)
can_exec(direct_run_init,$2)
} else {
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
}
',`
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
')
optional_policy(`
nscd_socket_use($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_daemon_domain'($*)) dnl
')
########################################
##
## Create a domain for long running processes
## (daemons) which can be started by init scripts.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
define(`init_ranged_daemon_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_daemon_domain'($*)) dnl
gen_require(`
type initrc_t;
')
init_daemon_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_daemon_domain'($*)) dnl
')
########################################
##
## Create a domain for short running processes
## which can be started by init scripts.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`init_system_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_system_domain'($*)) dnl
gen_require(`
type initrc_t;
role system_r;
attribute daemon;
')
domain_type($1)
domain_entry_file($1,$2)
typeattribute $1 daemon;
role system_r types $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
userdom_dontaudit_search_sysadm_home_dirs($1)
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
optional_policy(`
cron_rw_pipes($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_system_domain'($*)) dnl
')
########################################
##
## Create a domain for short running processes
## which can be started by init scripts.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
define(`init_ranged_system_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_system_domain'($*)) dnl
gen_require(`
type initrc_t;
')
init_system_domain($1,$2)
ifdef(`enable_mcs',`
range_transition initrc_t $2 $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2 $3;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_system_domain'($*)) dnl
')
########################################
##
## Execute init (/sbin/init) with a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`init_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_domtrans'($*)) dnl
gen_require(`
type init_t, init_exec_t;
')
domain_auto_trans($1,init_exec_t,init_t)
allow $1 init_t:fd use;
allow init_t $1:fd use;
allow init_t $1:fifo_file rw_file_perms;
allow init_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_domtrans'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the initrc_t domain
##
##
##
## Domain allowed access.
##
##
#
define(`init_bin_domtrans_spec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_bin_domtrans_spec'($*)) dnl
gen_require(`
type initrc_t;
')
corecmd_bin_domtrans($1, initrc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_bin_domtrans_spec'($*)) dnl
')
########################################
##
## Execute the init program in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_exec'($*)) dnl
gen_require(`
type init_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,init_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_exec'($*)) dnl
')
########################################
##
## Get the process group of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getpgid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getpgid'($*)) dnl
gen_require(`
type init_t;
# cjp: remove this when init_t decl is moved back to this module
attribute direct_run_init;
')
allow $1 init_t:process getpgid;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getpgid'($*)) dnl
')
########################################
##
## Send init a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_signull'($*)) dnl
gen_require(`
type init_t;
# cjp: remove this when init_t decl is moved back to this module
attribute direct_run_init;
')
allow $1 init_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_signull'($*)) dnl
')
########################################
##
## Send init a SIGCHLD signal.
##
##
##
## Domain allowed access.
##
##
#
define(`init_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_sigchld'($*)) dnl
gen_require(`
type init_t;
# cjp: remove this when init_t decl is moved back to this module
attribute direct_run_init;
')
allow $1 init_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_sigchld'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_use_fds'($*)) dnl
gen_require(`
type init_t;
# cjp: remove this when init_t decl is moved back to this module
attribute direct_run_init;
')
allow $1 init_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit file
## descriptors from init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_fds'($*)) dnl
gen_require(`
type init_t;
# cjp: remove this when init_t decl is moved back to this module
attribute direct_run_init;
')
dontaudit $1 init_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send UDP network traffic to init. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`init_udp_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_udp_send'($*)) dnl
')
########################################
##
## Get the attributes of initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_initctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
allow $1 initctl_t:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_initctl'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of initctl.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_getattr_initctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_initctl'($*)) dnl
')
########################################
##
## Write to initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_initctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_write_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_write_initctl'($*)) dnl
')
########################################
##
## Use telinit (Read and write initctl).
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_telinit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_telinit'($*)) dnl
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
init_exec($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_telinit'($*)) dnl
')
########################################
##
## Read and write initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_initctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_rw_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_rw_initctl'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_rw_initctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_initctl'($*)) dnl
')
########################################
##
## Make init scripts an entry point for
## the specified domain.
##
##
##
## The domain for which init scripts are an entrypoint.
##
##
# cjp: added for gentoo integrated run_init
define(`init_script_file_entry_type',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_script_file_entry_type'($*)) dnl
gen_require(`
type initrc_exec_t;
')
domain_entry_file($1,initrc_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_script_file_entry_type'($*)) dnl
')
########################################
##
## Execute init scripts with a specified domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`init_spec_domtrans_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_spec_domtrans_script'($*)) dnl
gen_require(`
type initrc_t;
attribute initscript;
')
files_list_etc($1)
domain_trans($1,initscript,initrc_t)
allow $1 self:process setexec;
allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld;
ifdef(`enable_mcs',`
range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initscript:process s0 - mls_systemhigh;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_spec_domtrans_script'($*)) dnl
')
########################################
##
## Execute init scripts with an automatic domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`init_domtrans_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_domtrans_script'($*)) dnl
gen_require(`
type initrc_t;
attribute initscript;
')
files_list_etc($1)
domain_auto_trans($1,initscript,initrc_t)
allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld;
ifdef(`enable_mcs',`
range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initscript:process s0 - mls_systemhigh;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_domtrans_script'($*)) dnl
')
########################################
##
## Execute a init script in a specified domain.
##
##
##
## Execute a init script in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain to transition from.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for gentoo integrated run_init
define(`init_script_file_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_script_file_domtrans'($*)) dnl
gen_require(`
attribute initscript;
')
files_list_etc($1)
domain_auto_trans($1,initscript,$2)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_script_file_domtrans'($*)) dnl
')
########################################
##
## Start and stop daemon programs directly.
##
##
##
## Start and stop daemon programs directly
## in the traditional "/etc/init.d/daemon start"
## style, and do not require run_init.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be performing this action.
##
##
##
##
## The type of the terminal of the user.
##
##
#
define(`init_run_daemon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_run_daemon'($*)) dnl
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
role system_r;
')
typeattribute $1 direct_run_init;
role_transition $2 direct_init_entry system_r;
dontaudit direct_init $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_run_daemon'($*)) dnl
')
########################################
##
## Write an init script unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_script_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_write_script_pipes'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_write_script_pipes'($*)) dnl
')
########################################
##
## Get the attribute of init script entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_script_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_script_files'($*)) dnl
gen_require(`
attribute initscript;
')
files_list_etc($1)
allow $1 initscript:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_script_files'($*)) dnl
')
########################################
##
## Execute init scripts in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec_script_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_exec_script_files'($*)) dnl
gen_require(`
attribute initscript;
')
files_list_etc($1)
can_exec($1,initscript)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_exec_script_files'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of the init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_script_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_read_script_state'($*)) dnl
gen_require(`
type initrc_t;
')
#FIXME: search proc dir
allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_read_script_state'($*)) dnl
')
########################################
##
## Inherit and use init script file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_script_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_use_script_fds'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_use_script_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## init script file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_use_script_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_fds'($*)) dnl
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_fds'($*)) dnl
')
########################################
##
## Get the process group ID of init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getpgid_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getpgid_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process getpgid;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getpgid_script'($*)) dnl
')
########################################
##
## Send SIGCHLD signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_sigchld_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_sigchld_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_sigchld_script'($*)) dnl
')
########################################
##
## Send generic signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signal_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_signal_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_signal_script'($*)) dnl
')
########################################
##
## Send null signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signull_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_signull_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_signull_script'($*)) dnl
')
########################################
##
## Read and write init script unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_pipes'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_pipes'($*)) dnl
')
########################################
##
## Send UDP network traffic to init scripts. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`init_udp_send_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_udp_send_script'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_udp_send_script'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to
## init scripts with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stream_connect_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_stream_connect_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_stream_connect_script'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write to
## init scripts with a unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_stream_sockets'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_stream_sockets'($*)) dnl
')
########################################
##
## Dont audit the specified domain connecting to
## init scripts with a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_stream_connect_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect_script'($*)) dnl
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect_script'($*)) dnl
')
########################################
##
## Send and receive messages from
## init scripts over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dbus_chat_script',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dbus_chat_script'($*)) dnl
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
allow initrc_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dbus_chat_script'($*)) dnl
')
########################################
##
## Read and write the init script pty.
##
##
##
## Read and write the init script pty. This
## pty is generally opened by the open_init_pty
## portion of the run_init program so that the
## daemon does not require direct access to
## the administrator terminal.
##
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_script_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_use_script_ptys'($*)) dnl
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_use_script_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the init script pty.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_use_script_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_ptys'($*)) dnl
gen_require(`
type initrc_devpts_t;
')
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_ptys'($*)) dnl
')
########################################
##
## Read init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_script_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_read_script_files'($*)) dnl
gen_require(`
attribute initscript;
')
files_search_etc($1)
allow $1 initscript:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_read_script_files'($*)) dnl
')
########################################
##
## Get the attributes of init script
## status files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_script_status_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_script_status_files'($*)) dnl
gen_require(`
type initrc_state_t;
')
allow $1 initrc_state_t:dir search_dir_perms;
allow $1 initrc_state_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_script_status_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read init script
## status files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_read_script_status_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_script_status_files'($*)) dnl
gen_require(`
type initrc_state_t;
')
dontaudit $1 initrc_state_t:dir search_dir_perms;
dontaudit $1 initrc_state_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_read_script_status_files'($*)) dnl
')
########################################
##
## Read and write init script temporary data.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_tmp_files'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
allow $1 initrc_tmp_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_tmp_files'($*)) dnl
')
########################################
##
## Create files in a init script
## temporary data directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`init_script_tmp_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_script_tmp_filetrans'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
allow $1 initrc_tmp_t:dir rw_dir_perms;
type_transition $1 initrc_tmp_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_script_tmp_filetrans'($*)) dnl
')
########################################
##
## Get the attributes of init script process id files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
allow $1 initrc_var_run_t:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_utmp'($*)) dnl
')
########################################
##
## Read utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_read_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_read_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to write utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_write_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file { write lock };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_write_utmp'($*)) dnl
')
########################################
##
## Write to utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_write_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file { getattr write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_write_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to lock
## init script pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_lock_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_lock_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file lock;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_lock_utmp'($*)) dnl
')
########################################
##
## Read and write utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_rw_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_rw_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_rw_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_utmp'($*)) dnl
')
########################################
##
## Create, read, write, and delete utmp.
##
##
##
## Domain access allowed.
##
##
#
define(`init_manage_utmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_manage_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_search_pids($1)
allow $1 initrc_var_run_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_manage_utmp'($*)) dnl
')
########################################
##
## Read init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_create_script_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_create_script_files'($*)) dnl
gen_require(`
attribute initscript;
')
files_etc_filetrans($1, initscript, file)
allow $1 initscript:file create_file_perms;
allow $1 initscript:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_create_script_files'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_init_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_read_init_state'($*)) dnl
gen_require(`
attribute init_t;
')
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file r_file_perms;
allow $1 init_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_read_init_state'($*)) dnl
')
########################################
##
## Ptrace init
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_ptrace_init_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_ptrace_init_domain'($*)) dnl
gen_require(`
attribute init_t;
')
allow $1 init_t:process ptrace;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_ptrace_init_domain'($*)) dnl
')
########################################
##
## Execute init a specific script with an automatic domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`init_script_domtrans_spec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_script_domtrans_spec'($*)) dnl
gen_require(`
type initrc_t;
')
files_list_etc($1)
domtrans_pattern($1,$2,initrc_t)
ifdef(`enable_mcs',`
range_transition $1 $2:process s0;
')
ifdef(`enable_mls',`
range_transition $1 $2:process s0 - mls_systemhigh;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_script_domtrans_spec'($*)) dnl
')
########################################
##
## Make the specified type usable for initscripts
## in a filesystem.
##
##
##
## Type to be used for files.
##
##
#
define(`init_script_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `init_script_file'($*)) dnl
gen_require(`
type initrc_t;
attribute initscript;
')
typeattribute $1 initscript;
domain_entry_file(initrc_t,$1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `init_script_file'($*)) dnl
')
## TCP/IP encryption
########################################
##
## Execute ipsec in the ipsec domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans'($*)) dnl
gen_require(`
type ipsec_t, ipsec_exec_t;
')
domtrans_pattern($1,ipsec_exec_t,ipsec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans'($*)) dnl
')
########################################
##
## Connect to IPSEC using a unix domain stream socket.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect'($*)) dnl
gen_require(`
type ipsec_t, ipsec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_stream_connect'($*)) dnl
')
########################################
##
## Get the attributes of an IPSEC key socket.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_getattr_key_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_getattr_key_sockets'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:key_socket getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_getattr_key_sockets'($*)) dnl
')
########################################
##
## Execute the IPSEC management program in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_exec_mgmt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_exec_mgmt'($*)) dnl
gen_require(`
type ipsec_exec_t;
')
can_exec($1,ipsec_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_exec_mgmt'($*)) dnl
')
########################################
##
## Read the IPSEC configuration
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`ipsec_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_read_config'($*)) dnl
gen_require(`
type ipsec_conf_file_t;
')
files_search_etc($1)
allow $1 ipsec_conf_file_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_read_config'($*)) dnl
')
########################################
##
## Match the default SPD entry.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_match_default_spd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_match_default_spd'($*)) dnl
gen_require(`
type ipsec_spd_t;
')
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_match_default_spd'($*)) dnl
')
########################################
##
## Set the context of a SPD entry to
## the default context.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_setcontext_default_spd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_setcontext_default_spd'($*)) dnl
gen_require(`
type ipsec_spd_t;
')
allow $1 ipsec_spd_t:association setcontext;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_setcontext_default_spd'($*)) dnl
')
########################################
##
## write the ipsec_var_run_t files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_write_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_write_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_write_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete the IPSEC pid files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_manage_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_manage_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_manage_pid'($*)) dnl
')
########################################
##
## Execute racoon in the racoon domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_domtrans_racoon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_racoon'($*)) dnl
gen_require(`
type racoon_t, racoon_exec_t;
')
domtrans_pattern($1,racoon_exec_t,racoon_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans_racoon'($*)) dnl
')
########################################
##
## Execute setkey in the setkey domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ipsec_domtrans_setkey',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_setkey'($*)) dnl
gen_require(`
type setkey_t, setkey_exec_t;
')
domtrans_pattern($1,setkey_exec_t,setkey_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans_setkey'($*)) dnl
')
########################################
##
## Execute setkey and allow the specified role the domains.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the racoon and setkey domains.
##
##
##
##
## The type of the terminal allow the racoon and setkey domains to use.
##
##
##
#
define(`ipsec_run_setkey',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `ipsec_run_setkey'($*)) dnl
gen_require(`
type setkey_t;
')
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
allow setkey_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `ipsec_run_setkey'($*)) dnl
')
## Policy for iptables.
########################################
##
## Execute iptables in the iptables domain.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `iptables_domtrans'($*)) dnl
gen_require(`
type iptables_t, iptables_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,iptables_exec_t,iptables_t)
allow $1 iptables_t:fd use;
allow iptables_t $1:fd use;
allow iptables_t $1:fifo_file rw_file_perms;
allow iptables_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `iptables_domtrans'($*)) dnl
')
########################################
##
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the iptables domain.
##
##
##
##
## The type of the terminal allow the iptables domain to use.
##
##
##
#
define(`iptables_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `iptables_run'($*)) dnl
gen_require(`
type iptables_t;
')
iptables_domtrans($1)
role $2 types iptables_t;
allow iptables_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `iptables_run'($*)) dnl
')
########################################
##
## Execute iptables in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `iptables_exec'($*)) dnl
gen_require(`
type iptables_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,iptables_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `iptables_exec'($*)) dnl
')
## Establish connections to iSCSI devices
########################################
##
## Execute a domain transition to run iscsid.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iscsid_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `iscsid_domtrans'($*)) dnl
gen_require(`
type iscsid_t, iscsid_exec_t;
')
domain_auto_trans($1,iscsid_exec_t,iscsid_t)
allow iscsid_t $1:fd use;
allow iscsid_t $1:fifo_file rw_file_perms;
allow iscsid_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `iscsid_domtrans'($*)) dnl
')
## Policy for system libraries.
########################################
##
## Execute ldconfig in the ldconfig domain.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_domtrans_ldconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_domtrans_ldconfig'($*)) dnl
gen_require(`
type ldconfig_t, ldconfig_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
allow $1 ldconfig_t:fd use;
allow ldconfig_t $1:fd use;
allow ldconfig_t $1:fifo_file rw_file_perms;
allow ldconfig_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_domtrans_ldconfig'($*)) dnl
')
########################################
##
## Execute ldconfig in the ldconfig domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to allow the ldconfig domain.
##
##
##
##
## The type of the terminal allow the ldconfig domain to use.
##
##
##
#
define(`libs_run_ldconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_run_ldconfig'($*)) dnl
gen_require(`
type ldconfig_t;
')
libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
allow ldconfig_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_run_ldconfig'($*)) dnl
')
########################################
##
## Use the dynamic link/loader for automatic loading
## of shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_ld_so',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_use_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t, ld_so_cache_t;
')
files_list_etc($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_use_ld_so'($*)) dnl
')
########################################
##
## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_legacy_use_ld_so',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_legacy_use_ld_so'($*)) dnl
gen_require(`
type ld_so_t, ld_so_cache_t;
')
libs_use_ld_so($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_legacy_use_ld_so'($*)) dnl
')
########################################
##
## Execute the dynamic link/loader in the caller's domain.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_exec_ld_so',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_exec_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
can_exec($1,ld_so_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_exec_ld_so'($*)) dnl
')
########################################
##
## Create, read, write, and delete the
## dynamic link/loader.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_ld_so',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir rw_dir_perms;
allow $1 ld_so_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_ld_so'($*)) dnl
')
########################################
##
## Relabel to and from the type used for
## the dynamic link/loader.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_ld_so',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 ld_so_t:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_ld_so'($*)) dnl
')
########################################
##
## Modify the dynamic link/loader's cached listing
## of shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_rw_ld_so_cache',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_rw_ld_so_cache'($*)) dnl
gen_require(`
type ld_so_cache_t;
')
files_list_etc($1)
allow $1 ld_so_cache_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_rw_ld_so_cache'($*)) dnl
')
########################################
##
## Search library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_search_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_search_lib'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_search_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to write to library directories.
##
##
##
## Do not audit attempts to write to library directories.
## Typically this is used to quiet attempts to recompile
## python byte code.
##
##
##
##
## Domain allowed access.
##
##
#
define(`libs_dontaudit_write_lib_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_dontaudit_write_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
dontaudit $1 lib_t:dir write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_dontaudit_write_lib_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_manage_lib_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read files in the library directories, such
## as static libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_read_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_read_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_read_lib_files'($*)) dnl
')
########################################
##
## Execute library scripts in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_exec_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_exec_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
can_exec($1,lib_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_exec_lib_files'($*)) dnl
')
########################################
##
## Load and execute functions from generic
## lib files as shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_use_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
files_list_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 lib_t:file rx_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_use_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## files in library directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir rw_dir_perms;
allow $1 lib_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_lib_files'($*)) dnl
')
########################################
##
## Relabel files to the type used in library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_relabelto_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_relabelto_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_relabelto_lib_files'($*)) dnl
')
########################################
##
## Relabel to and from the type used
## for generic lib files.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_lib_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_lib_files'($*)) dnl
')
########################################
##
## Delete generic symlinks in library directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_delete_lib_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_delete_lib_symlinks'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir { getattr search read write remove_name };
allow $1 lib_t:lnk_file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_delete_lib_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete shared libraries.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_shared_libs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_shared_libs'($*)) dnl
gen_require(`
type lib_t, shlib_t, textrel_shlib_t;
')
allow $1 lib_t:dir rw_dir_perms;
allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_shared_libs'($*)) dnl
')
########################################
##
## Load and execute functions from shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_shared_libs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_use_shared_libs'($*)) dnl
gen_require(`
type lib_t, shlib_t, textrel_shlib_t;
')
files_list_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
allow $1 { shlib_t textrel_shlib_t }:file rx_file_perms;
allow $1 textrel_shlib_t:file execmod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_use_shared_libs'($*)) dnl
')
########################################
##
## Load and execute functions from shared libraries,
## with legacy support.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_legacy_use_shared_libs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_legacy_use_shared_libs'($*)) dnl
gen_require(`
type shlib_t, textrel_shlib_t;
')
libs_use_shared_libs($1)
allow $1 { shlib_t textrel_shlib_t }:file execmod;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_legacy_use_shared_libs'($*)) dnl
')
########################################
##
## Relabel to and from the type used for
## shared libraries.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_shared_libs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_shared_libs'($*)) dnl
gen_require(`
type lib_t, shlib_t, textrel_shlib_t;
')
allow $1 lib_t:dir search_dir_perms;
allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_shared_libs'($*)) dnl
')
########################################
##
## Create an object in lib directories, with
## the shared libraries type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_lib_filetrans_shared_lib',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_lib_filetrans_shared_lib'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
type_transition $1 root_t:$2 shlib_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_lib_filetrans_shared_lib'($*)) dnl
')
## Policy for local logins.
########################################
##
## Execute local logins in the local login domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`locallogin_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_domtrans'($*)) dnl
gen_require(`
type local_login_t;
')
auth_domtrans_login_program($1,local_login_t)
ifdef(`enable_mcs',`
auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_domtrans'($*)) dnl
')
########################################
##
## Allow processes to inherit local login file descriptors.
##
##
##
## The type of the process performing this action.
##
##
#
define(`locallogin_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_use_fds'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit local login file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`locallogin_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_dontaudit_use_fds'($*)) dnl
gen_require(`
type local_login_t;
')
dontaudit $1 local_login_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send a null signal to local login processes.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_signull'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_signull'($*)) dnl
')
########################################
##
## Search for key.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_search_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_search_key'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_search_key'($*)) dnl
')
########################################
##
## Allow link to the local_login key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_link_key',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `locallogin_link_key'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key link;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `locallogin_link_key'($*)) dnl
')
## Policy for the kernel message logger and system logging daemon.
#######################################
##
## Make the specified type a file
## used for logs.
##
##
##
## Type of the file to be used as a log.
##
##
#
define(`logging_log_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_log_file'($*)) dnl
gen_require(`
attribute logfile;
')
files_type($1)
files_associate_tmp($1)
fs_associate_tmpfs($1)
typeattribute $1 logfile;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_log_file'($*)) dnl
')
#######################################
##
## Send audit messages.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_send_audit_msgs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_send_audit_msgs'($*)) dnl
allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_send_audit_msgs'($*)) dnl
')
#######################################
##
## dontaudit attempts to send audit messages.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_dontaudit_send_audit_msgs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_send_audit_msgs'($*)) dnl
dontaudit $1 self:capability audit_write;
dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_send_audit_msgs'($*)) dnl
')
########################################
##
## Set login uid
##
##
##
## Domain allowed access.
##
##
#
define(`logging_set_loginuid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_set_loginuid'($*)) dnl
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_set_loginuid'($*)) dnl
')
########################################
##
## Set up audit
##
##
##
## Domain allowed access.
##
##
#
define(`logging_set_audit_parameters',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_set_audit_parameters'($*)) dnl
allow $1 self:capability { audit_write audit_control };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_set_audit_parameters'($*)) dnl
')
########################################
##
## Read the audit log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_audit_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_read_audit_log'($*)) dnl
gen_require(`
type auditd_log_t;
')
files_search_var($1)
read_files_pattern($1,auditd_log_t,auditd_log_t)
allow $1 auditd_log_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_read_audit_log'($*)) dnl
')
########################################
##
## Execute auditctl in the auditctl domain.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_domtrans_auditctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditctl'($*)) dnl
gen_require(`
type auditctl_t, auditctl_exec_t;
')
domtrans_pattern($1,auditctl_exec_t,auditctl_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_auditctl'($*)) dnl
')
########################################
##
## Execute auditctl in the auditctl domain, and
## allow the specified role the auditctl domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the auditctl domain.
##
##
##
##
## The type of the terminal allow the auditctl domain to use.
##
##
##
#
define(`logging_run_auditctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_run_auditctl'($*)) dnl
gen_require(`
type auditctl_t;
')
logging_domtrans_auditctl($1)
role $2 types auditctl_t;
allow auditctl_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_run_auditctl'($*)) dnl
')
########################################
##
## Execute auditd in the auditd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_domtrans_auditd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditd'($*)) dnl
gen_require(`
type auditd_t, auditd_exec_t;
')
domtrans_pattern($1,auditd_exec_t,auditd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_auditd'($*)) dnl
')
########################################
##
## Execute auditd in the auditd domain, and
## allow the specified role the auditd domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the auditd domain.
##
##
##
##
## The type of the terminal allow the auditd domain to use.
##
##
#
define(`logging_run_auditd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_run_auditd'($*)) dnl
gen_require(`
type auditd_t;
')
logging_domtrans_auditd($1)
role $2 types auditd_t;
allow auditd_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_run_auditd'($*)) dnl
')
########################################
##
## Connect to auditdstored over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_stream_connect_auditd',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_stream_connect_auditd'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
logging_stream_connect_dispatcher($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_stream_connect_auditd'($*)) dnl
')
########################################
##
## Execute a domain transition to run the audit dispatcher.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_dispatcher',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_dispatcher'($*)) dnl
gen_require(`
type audisp_t, audisp_exec_t;
')
domtrans_pattern($1, audisp_exec_t, audisp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_dispatcher'($*)) dnl
')
########################################
##
## Signal the audit dispatcher.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_signal_dispatcher',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_signal_dispatcher'($*)) dnl
gen_require(`
type audisp_t;
')
allow $1 audisp_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_signal_dispatcher'($*)) dnl
')
########################################
##
## Create a domain for processes
## which can be started by the system audit dispatcher
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`logging_dispatcher_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dispatcher_domain'($*)) dnl
gen_require(`
type audisp_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(audisp_t, $2, $1)
allow audisp_t $1:process { sigkill sigstop signull signal };
allow audisp_t $2:file getattr;
allow $1 audisp_t:unix_stream_socket rw_socket_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dispatcher_domain'($*)) dnl
')
########################################
##
## Connect to the audit dispatcher over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_stream_connect_dispatcher',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_stream_connect_dispatcher'($*)) dnl
gen_require(`
type audisp_t, audisp_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_stream_connect_dispatcher'($*)) dnl
')
########################################
##
## Manage the auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_audit_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
manage_files_pattern($1,auditd_etc_t,auditd_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_audit_config'($*)) dnl
')
########################################
##
## Manage the audit log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_audit_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_audit_log'($*)) dnl
gen_require(`
type auditd_log_t;
')
files_search_var($1)
manage_dirs_pattern($1,auditd_log_t,auditd_log_t)
manage_files_pattern($1,auditd_log_t,auditd_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_audit_log'($*)) dnl
')
########################################
##
## Execute klogd in the klog domain.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_domtrans_klog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_klog'($*)) dnl
gen_require(`
type klogd_t, klogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,klogd_exec_t,klogd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_klog'($*)) dnl
')
########################################
##
## Check if syslogd is executable.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_check_exec_syslog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_check_exec_syslog'($*)) dnl
gen_require(`
type syslogd_exec_t;
')
corecmd_list_bin($1)
corecmd_read_bin_symlinks($1)
allow $1 syslogd_exec_t:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_check_exec_syslog'($*)) dnl
')
########################################
##
## Execute syslogd in the syslog domain.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_domtrans_syslog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_syslog'($*)) dnl
gen_require(`
type syslogd_t, syslogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,syslogd_exec_t,syslogd_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_syslog'($*)) dnl
')
########################################
##
## Create an object in the log directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`logging_log_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_log_filetrans'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
filetrans_pattern($1,var_log_t,$2,$3)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_log_filetrans'($*)) dnl
')
########################################
##
## Send system log messages.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_send_syslog_msg',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_send_syslog_msg'($*)) dnl
gen_require(`
type syslogd_t, devlog_t;
')
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file rw_file_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
allow $1 syslogd_t:unix_stream_socket connectto;
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_socket_perms;
# cjp: this should most likely be removed:
term_use_console($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_send_syslog_msg'($*)) dnl
')
########################################
##
## Read the auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_audit_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_read_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
read_files_pattern($1,auditd_etc_t,auditd_etc_t)
allow $1 auditd_etc_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_read_audit_config'($*)) dnl
')
########################################
##
## dontaudit search of auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_dontaudit_search_audit_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
dontaudit $1 auditd_etc_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_config'($*)) dnl
')
########################################
##
## Read syslog configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_syslog_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_read_syslog_config'($*)) dnl
gen_require(`
type syslog_conf_t;
')
allow $1 syslog_conf_t:file read_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_read_syslog_config'($*)) dnl
')
########################################
##
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_search_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_search_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_search_logs'($*)) dnl
')
#######################################
##
## Do not audit attempts to search the var log directory.
##
##
##
## Domain not to audit.
##
##
#
define(`logging_dontaudit_search_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_logs'($*)) dnl
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_logs'($*)) dnl
')
#######################################
##
## List the contents of the generic log directory (/var/log).
##
##
##
## Domain allowed access.
##
##
#
define(`logging_list_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_list_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_list_logs'($*)) dnl
')
#######################################
##
## Read and write the generic log directory (/var/log).
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_generic_log_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_generic_log_dirs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_generic_log_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the atttributes
## of any log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_dontaudit_getattr_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_getattr_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
dontaudit $1 logfile:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_getattr_all_logs'($*)) dnl
')
########################################
##
## Append to all log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_append_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_append_all_logs'($*)) dnl
gen_require(`
attribute logfile;
type var_log_t;
')
files_search_var($1)
append_files_pattern($1, var_log_t, logfile)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_append_all_logs'($*)) dnl
')
########################################
##
## Read all log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_read_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
read_files_pattern($1, logfile, logfile)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_read_all_logs'($*)) dnl
')
########################################
##
## Execute all log files in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
# cjp: not sure why this is needed. This was added
# because of logrotate.
define(`logging_exec_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_exec_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
can_exec($1,logfile)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_exec_all_logs'($*)) dnl
')
########################################
##
## read/write to all log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
rw_files_pattern($1, logfile, logfile)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_all_logs'($*)) dnl
')
########################################
##
## Create, read, write, and delete all log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_all_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
allow $1 logfile:dir { relabelfrom relabelto };
allow $1 logfile:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_all_logs'($*)) dnl
')
########################################
##
## Read generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_generic_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_read_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
read_files_pattern($1,var_log_t,var_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_read_generic_logs'($*)) dnl
')
########################################
##
## Write generic log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_write_generic_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_write_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
write_files_pattern($1,var_log_t,var_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_write_generic_logs'($*)) dnl
')
########################################
##
## Dontaudit Write generic log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_dontaudit_write_generic_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_write_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_write_generic_logs'($*)) dnl
')
########################################
##
## Read and write generic log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_generic_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
rw_files_pattern($1,var_log_t,var_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_generic_logs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_generic_logs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_generic_logs'($*)) dnl
')
########################################
##
## Execute syslog server in the syslogd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`logging_syslog_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_syslog_script_domtrans'($*)) dnl
gen_require(`
type syslogd_script_exec_t;
')
init_script_domtrans_spec($1, syslogd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_syslog_script_domtrans'($*)) dnl
')
########################################
##
## Execute audit server in the auditd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`logging_audit_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_audit_script_domtrans'($*)) dnl
gen_require(`
type auditd_script_exec_t;
')
init_script_domtrans_spec($1, auditd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_audit_script_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the audit environment
##
##
##
## Domain allowed access.
##
##
##
##
## User role allowed access.
##
##
##
##
## User terminal type.
##
##
##
#
define(`logging_admin_audit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_admin_audit'($*)) dnl
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_script_exec_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
ps_process_pattern($1, auditd_t)
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
logging_run_auditctl($1, $2, $3)
# Allow $1 to restart the audit service
logging_audit_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 auditd_script_exec_t system_r;
allow $2 system_r;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_admin_audit'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the syslog environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_admin_syslog',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_admin_syslog'($*)) dnl
gen_require(`
type syslogd_t, klogd_t, syslog_conf_t;
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
type syslogd_script_exec_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
ps_process_pattern($1, klogd_t)
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
files_etc_filetrans($1, syslog_conf_t, file)
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
# Allow $1 to restart the syslog service
logging_syslog_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 syslogd_script_exec_t system_r;
allow $2 system_r;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_admin_syslog'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the logging environment
##
##
##
## Domain allowed access.
##
##
##
##
## User role allowed access.
##
##
##
##
## User terminal type.
##
##
##
#
define(`logging_admin',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `logging_admin'($*)) dnl
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `logging_admin'($*)) dnl
')
## Policy for logical volume management programs.
########################################
##
## Execute lvm programs in the lvm domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`lvm_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lvm_domtrans'($*)) dnl
gen_require(`
type lvm_t, lvm_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, lvm_exec_t, lvm_t)
allow $1 lvm_t:fd use;
allow lvm_t $1:fd use;
allow lvm_t $1:fifo_file rw_file_perms;
allow lvm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lvm_domtrans'($*)) dnl
')
########################################
##
## Execute lvm programs in the lvm domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the LVM domain.
##
##
##
##
## The type of the terminal allow the LVM domain to use.
##
##
##
#
define(`lvm_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lvm_run'($*)) dnl
gen_require(`
type lvm_t;
')
lvm_domtrans($1)
role $2 types lvm_t;
allow lvm_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lvm_run'($*)) dnl
')
########################################
##
## Read LVM configuration files.
##
##
##
## The type of the process performing this action.
##
##
##
#
define(`lvm_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lvm_read_config'($*)) dnl
gen_require(`
type lvm_etc_t;
')
files_search_etc($1)
allow $1 lvm_etc_t:dir list_dir_perms;
read_files_pattern($1,lvm_etc_t,lvm_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lvm_read_config'($*)) dnl
')
########################################
##
## Manage LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_manage_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lvm_manage_config'($*)) dnl
gen_require(`
type lvm_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1,lvm_etc_t,lvm_etc_t)
manage_files_pattern($1,lvm_etc_t,lvm_etc_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lvm_manage_config'($*)) dnl
')
########################################
##
## Execute clvmd server in the clvmd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`lvm_clmvd_script_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `lvm_clmvd_script_domtrans'($*)) dnl
gen_require(`
type clvmd_script_exec_t;
')
init_script_domtrans_spec($1,clvmd_script_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `lvm_clmvd_script_domtrans'($*)) dnl
')
## Miscelaneous files.
########################################
##
## Read system SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_certs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_certs'($*)) dnl
gen_require(`
type cert_t;
')
allow $1 cert_t:dir r_dir_perms;
allow $1 cert_t:file r_file_perms;
allow $1 cert_t:lnk_file { getattr read };
kernel_read_sysctl($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_certs'($*)) dnl
')
########################################
##
## Read fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_fonts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_fonts'($*)) dnl
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file r_file_perms;
allow $1 fonts_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_fonts'($*)) dnl
')
########################################
##
## Create, read, write, and delete fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_fonts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts'($*)) dnl
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir create_dir_perms;
allow $1 fonts_t:file create_file_perms;
allow $1 fonts_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts'($*)) dnl
')
########################################
##
## Read hardware identification data.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_hwdata',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_hwdata'($*)) dnl
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir r_dir_perms;
allow $1 hwdata_t:file r_file_perms;
allow $1 hwdata_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_hwdata'($*)) dnl
')
########################################
##
## Allow process to read localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_read_etc_symlinks($1)
files_search_usr($1)
allow $1 locale_t:dir r_dir_perms;
allow $1 locale_t:lnk_file r_file_perms;
allow $1 locale_t:file r_file_perms;
# why?
libs_read_lib_files($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_localization'($*)) dnl
')
########################################
##
## Allow process to write localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_rw_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_rw_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_rw_localization'($*)) dnl
')
########################################
##
## Allow process to setattr localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_setattr_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_setattr_localization'($*)) dnl
')
########################################
##
## Allow process to relabel localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_relabel_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_localization'($*)) dnl
gen_require(`
type locale_t;
')
allow $1 locale_t:file { relabelto relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_relabel_localization'($*)) dnl
')
########################################
##
## Allow process to read legacy time localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_legacy_read_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_legacy_read_localization'($*)) dnl
gen_require(`
type locale_t;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_legacy_read_localization'($*)) dnl
')
########################################
##
## Do not audit attempts to search man pages.
##
##
##
## Domain to not audit.
##
##
#
define(`miscfiles_dontaudit_search_man_pages',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_search_man_pages'($*)) dnl
gen_require(`
type man_t;
')
dontaudit $1 man_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_search_man_pages'($*)) dnl
')
########################################
##
## Read man pages
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_man_pages',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_pages'($*)) dnl
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:file r_file_perms;
allow $1 man_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_man_pages'($*)) dnl
')
########################################
##
## Delete man pages
##
##
##
## Domain allowed access.
##
##
# cjp: added for tmpreaper
#
define(`miscfiles_delete_man_pages',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_delete_man_pages'($*)) dnl
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir { setattr rw_dir_perms rmdir };
allow $1 man_t:file { getattr unlink };
allow $1 man_t:lnk_file { getattr unlink };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_delete_man_pages'($*)) dnl
')
########################################
##
## Create, read, write, and delete man pages
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_man_pages',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_pages'($*)) dnl
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir create_dir_perms;
allow $1 man_t:file create_file_perms;
allow $1 man_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_pages'($*)) dnl
')
########################################
##
## Read public files used for file
## transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_public_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_public_files'($*)) dnl
gen_require(`
type public_content_t, public_content_rw_t;
')
allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_public_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete public files
## and directories used for file transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_public_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_public_files'($*)) dnl
gen_require(`
type public_content_rw_t;
')
allow $1 public_content_rw_t:dir create_dir_perms;
allow $1 public_content_rw_t:file create_file_perms;
allow $1 public_content_rw_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_public_files'($*)) dnl
')
########################################
##
## Read TeX data
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_tetex_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_tetex_data'($*)) dnl
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
allow $1 tetex_data_t:file r_file_perms;
allow $1 tetex_data_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_tetex_data'($*)) dnl
')
########################################
##
## Execute TeX data programs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_exec_tetex_data',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_exec_tetex_data'($*)) dnl
gen_require(`
type fonts_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
can_exec($1,tetex_data_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_exec_tetex_data'($*)) dnl
')
########################################
##
## Let test files be an entry point for
## a specified domain.
##
##
##
## Domain to be entered.
##
##
#
define(`miscfiles_domain_entry_test_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_domain_entry_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_domain_entry_test_files'($*)) dnl
')
########################################
##
## Read test files and directories.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_test_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:file r_file_perms;
allow $1 test_file_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_test_files'($*)) dnl
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_exec_test_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_exec_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:lnk_file r_file_perms;
can_exec($1, test_file_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_exec_test_files'($*)) dnl
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_etc_filetrans_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_etc_filetrans_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_etc_filetrans_localization'($*)) dnl
')
########################################
##
## Create, read, write, and delete localization
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_localization',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_localization'($*)) dnl
gen_require(`
type locale_t;
')
allow $1 locale_t:dir create_dir_perms;
allow $1 locale_t:file create_file_perms;
allow $1 locale_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_localization'($*)) dnl
')
## Policy for kernel module utilities
########################################
##
## Read the dependencies of kernel modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_read_module_deps',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps'($*)) dnl
gen_require(`
type modules_dep_t;
')
files_list_kernel_modules($1)
allow $1 modules_dep_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_read_module_deps'($*)) dnl
')
########################################
##
## Read the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
##
#
define(`modutils_read_module_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_read_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
files_search_boot($1)
allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_read_module_config'($*)) dnl
')
########################################
##
## Rename a file with the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_rename_module_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_rename_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
allow $1 modules_conf_t:file rename;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_rename_module_config'($*)) dnl
')
########################################
##
## Unconditionally execute insmod in the insmod domain.
##
##
##
## Domain allowed access.
##
##
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
define(`modutils_domtrans_insmod_uncond',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod_uncond'($*)) dnl
gen_require(`
type insmod_t, insmod_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, insmod_exec_t, insmod_t)
allow $1 insmod_t:fd use;
allow insmod_t $1:fd use;
allow insmod_t $1:fifo_file rw_file_perms;
allow insmod_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod_uncond'($*)) dnl
')
########################################
##
## Execute insmod in the insmod domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_domtrans_insmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod'($*)) dnl
gen_require(`
bool secure_mode_insmod;
')
if (!secure_mode_insmod) {
modutils_domtrans_insmod_uncond($1)
}
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod'($*)) dnl
')
########################################
##
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the insmod domain.
##
##
##
##
## The type of the terminal allow the insmod domain to use.
##
##
##
#
define(`modutils_run_insmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_insmod'($*)) dnl
gen_require(`
type insmod_t;
')
modutils_domtrans_insmod($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_insmod'($*)) dnl
')
########################################
##
## Execute insmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_insmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_insmod'($*)) dnl
gen_require(`
type insmod_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, insmod_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_insmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_domtrans_depmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_depmod'($*)) dnl
gen_require(`
type depmod_t, depmod_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, depmod_exec_t, depmod_t)
allow $1 depmod_t:fd use;
allow depmod_t $1:fd use;
allow depmod_t $1:fifo_file rw_file_perms;
allow depmod_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_depmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the depmod domain.
##
##
##
##
## The type of the terminal allow the depmod domain to use.
##
##
##
#
define(`modutils_run_depmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_depmod'($*)) dnl
gen_require(`
type depmod_t;
')
modutils_domtrans_depmod($1)
role $2 types depmod_t;
allow insmod_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_depmod'($*)) dnl
')
########################################
##
## Execute depmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_depmod',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_depmod'($*)) dnl
gen_require(`
type depmod_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, depmod_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_depmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_domtrans_update_mods',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_update_mods'($*)) dnl
gen_require(`
type update_modules_t, update_modules_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
allow $1 update_modules_t:fd use;
allow update_modules_t $1:fd use;
allow update_modules_t $1:fifo_file rw_file_perms;
allow update_modules_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_update_mods'($*)) dnl
')
########################################
##
## Execute update_modules in the update_modules domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the update_modules domain.
##
##
##
##
## The type of the terminal allow the update_modules domain to use.
##
##
##
#
define(`modutils_run_update_mods',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_update_mods'($*)) dnl
gen_require(`
type update_modules_t;
')
modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
allow update_modules_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_update_mods'($*)) dnl
')
########################################
##
## Execute update_modules in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_update_mods',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_update_mods'($*)) dnl
gen_require(`
type update_modules_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, update_modules_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_update_mods'($*)) dnl
')
## Policy for mount.
########################################
##
## Execute mount in the mount domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`mount_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans'($*)) dnl
gen_require(`
type mount_t, mount_exec_t;
')
domain_auto_trans($1,mount_exec_t,mount_t)
allow $1 mount_t:fd use;
allow mount_t $1:fd use;
allow mount_t $1:fifo_file rw_file_perms;
allow mount_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans'($*)) dnl
')
########################################
##
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the mount domain.
##
##
##
##
## The type of the terminal allow the mount domain to use.
##
##
##
#
define(`mount_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_run'($*)) dnl
gen_require(`
type mount_t;
')
mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_run'($*)) dnl
')
########################################
##
## Execute mount in the caller domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`mount_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_exec'($*)) dnl
gen_require(`
type mount_exec_t;
')
allow $1 mount_exec_t:dir r_dir_perms;
allow $1 mount_exec_t:lnk_file r_file_perms;
can_exec($1,mount_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_exec'($*)) dnl
')
########################################
##
## Use file descriptors for mount.
##
##
##
## The type of the process performing this action.
##
##
#
define(`mount_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_use_fds'($*)) dnl
gen_require(`
type mount_t;
')
allow $1 mount_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_use_fds'($*)) dnl
')
########################################
##
## Allow the mount domain to send nfs requests for mounting
## network drives
##
##
##
## Allow the mount domain to send nfs requests for mounting
## network drives
##
##
## This interface has been deprecated as these rules were
## a side effect of leaked mount file descriptors. This
## interface has no effect.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mount_send_nfs_client_request',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_send_nfs_client_request'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_send_nfs_client_request'($*)) dnl
')
########################################
##
## Execute mount in the unconfined mount domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_domtrans_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans_unconfined'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type unconfined_mount_t, mount_exec_t;
')
domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
allow $1 unconfined_mount_t:fd use;
allow unconfined_mount_t $1:fd use;
allow unconfined_mount_t $1:fifo_file rw_file_perms;
allow unconfined_mount_t $1:process sigchld;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans_unconfined'($*)) dnl
')
## NetLabel/CIPSO labeled networking management
########################################
##
## Execute netlabel_mgmt in the netlabel_mgmt domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netlabel_domtrans_mgmt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netlabel_domtrans_mgmt'($*)) dnl
gen_require(`
type netlabel_mgmt_t, netlabel_mgmt_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
allow netlabel_mgmt_t $1:fd use;
allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
allow netlabel_mgmt_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netlabel_domtrans_mgmt'($*)) dnl
')
########################################
##
## Execute netlabel_mgmt in the netlabel_mgmt domain, and
## allow the specified role the netlabel_mgmt domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the netlabel_mgmt domain.
##
##
##
##
## The type of the terminal allow the netlabel_mgmt domain to use.
##
##
##
#
define(`netlabel_run_mgmt',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `netlabel_run_mgmt'($*)) dnl
gen_require(`
type netlabel_mgmt_t;
')
netlabel_domtrans_mgmt($1)
role $2 types netlabel_mgmt_t;
allow netlabel_mgmt_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `netlabel_run_mgmt'($*)) dnl
')
## PCMCIA card management services
########################################
##
## PCMCIA stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`pcmcia_stub',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_stub'($*)) dnl
gen_require(`
type cardmgr_t;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_stub'($*)) dnl
')
########################################
##
## Execute cardmgr in the cardmgr domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pcmcia_domtrans_cardmgr',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardmgr'($*)) dnl
gen_require(`
type cardmgr_t, cardmgr_exec_t;
')
domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
allow $1 cardmgr_t:fd use;
allow cardmgr_t $1:fd use;
allow cardmgr_t $1:fifo_file rw_file_perms;
allow cardmgr_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardmgr'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from cardmgr.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_use_cardmgr_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_use_cardmgr_fds'($*)) dnl
gen_require(`
type cardmgr_t;
')
allow $1 cardmgr_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_use_cardmgr_fds'($*)) dnl
')
########################################
##
## Execute cardctl in the cardmgr domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`pcmcia_domtrans_cardctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardctl'($*)) dnl
gen_require(`
type cardmgr_t, cardctl_exec_t;
')
domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
allow $1 cardmgr_t:fd use;
allow cardmgr_t $1:fd use;
allow cardmgr_t $1:fifo_file rw_file_perms;
allow cardmgr_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardctl'($*)) dnl
')
########################################
##
## Execute cardmgr in the cardctl domain, and
## allow the specified role the cardmgr domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the cardmgr domain.
##
##
##
##
## The type of the terminal allow the cardmgr domain to use.
##
##
##
#
define(`pcmcia_run_cardctl',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_run_cardctl'($*)) dnl
gen_require(`
type cardmgr_t;
')
pcmcia_domtrans_cardctl($1)
role $2 types cardmgr_t;
allow cardmgr_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_run_cardctl'($*)) dnl
')
########################################
##
## Read cardmgr pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_read_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_read_pid'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
allow $1 cardmgr_var_run_t:dir r_dir_perms;
allow $1 cardmgr_var_run_t:file r_file_perms;
allow $1 cardmgr_var_run_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_read_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cardmgr pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_manage_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
allow $1 cardmgr_var_run_t:dir rw_dir_perms;
allow $1 cardmgr_var_run_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cardmgr runtime character nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_manage_pid_chr_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid_chr_files'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
allow $1 cardmgr_var_run_t:dir rw_dir_perms;
allow $1 cardmgr_var_run_t:chr_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid_chr_files'($*)) dnl
')
## RAID array management tools
########################################
##
## Execute software raid tools in the mdadm domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`raid_domtrans_mdadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `raid_domtrans_mdadm'($*)) dnl
gen_require(`
type mdadm_t, mdadm_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,mdadm_exec_t,mdadm_t)
allow $1 mdadm_t:fd use;
allow mdadm_t $1:fd use;
allow mdadm_t $1:fifo_file rw_file_perms;
allow mdadm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `raid_domtrans_mdadm'($*)) dnl
')
########################################
##
## Create, read, write, and delete the mdadm pid files.
##
##
##
## Create, read, write, and delete the mdadm pid files.
##
##
## Added for use in the init module.
##
##
##
##
## The type of the process performing this action.
##
##
#
define(`raid_manage_mdadm_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `raid_manage_mdadm_pid'($*)) dnl
gen_require(`
type mdadm_var_run_t;
')
# FIXME: maybe should have a type_transition. not
# clear what this is doing, from the original
# mdadm policy
allow $1 mdadm_var_run_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `raid_manage_mdadm_pid'($*)) dnl
')
## Policy for SELinux policy and userland applications.
#######################################
##
## Execute checkpolicy in the checkpolicy domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_checkpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_t, checkpolicy_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
allow $1 checkpolicy_t:fd use;
allow checkpolicy_t $1:fd use;
allow checkpolicy_t $1:fifo_file rw_file_perms;
allow checkpolicy_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_checkpolicy'($*)) dnl
')
########################################
##
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the checkpolicy domain.
##
##
##
##
## The type of the terminal allow the checkpolicy domain to use.
##
##
##
#
define(`seutil_run_checkpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_t;
')
seutil_domtrans_checkpolicy($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_checkpolicy'($*)) dnl
')
########################################
##
## Execute checkpolicy in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_exec_checkpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,checkpolicy_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_checkpolicy'($*)) dnl
')
#######################################
##
## Execute load_policy in the load_policy domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_loadpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_loadpolicy'($*)) dnl
gen_require(`
type load_policy_t, load_policy_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,load_policy_exec_t,load_policy_t)
allow $1 load_policy_t:fd use;
allow load_policy_t $1:fd use;
allow load_policy_t $1:fifo_file rw_file_perms;
allow load_policy_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_loadpolicy'($*)) dnl
')
########################################
##
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the load_policy domain.
##
##
##
##
## The type of the terminal allow the load_policy domain to use.
##
##
##
#
define(`seutil_run_loadpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_loadpolicy'($*)) dnl
gen_require(`
type load_policy_t;
')
seutil_domtrans_loadpolicy($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_loadpolicy'($*)) dnl
')
########################################
##
## Execute load_policy in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_loadpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_loadpolicy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,load_policy_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_loadpolicy'($*)) dnl
')
########################################
##
## Read the load_policy program file.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_loadpolicy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_loadpolicy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
corecmd_search_sbin($1)
allow $1 load_policy_exec_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_loadpolicy'($*)) dnl
')
#######################################
##
## Execute newrole in the load_policy domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_newrole',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_newrole'($*)) dnl
gen_require(`
type newrole_t, newrole_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,newrole_exec_t,newrole_t)
allow $1 newrole_t:fd use;
allow newrole_t $1:fd use;
allow newrole_t $1:fifo_file rw_file_perms;
allow newrole_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_newrole'($*)) dnl
')
########################################
##
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the newrole domain.
##
##
##
##
## The type of the terminal allow the newrole domain to use.
##
##
##
#
define(`seutil_run_newrole',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_newrole'($*)) dnl
gen_require(`
type newrole_t;
')
seutil_domtrans_newrole($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_newrole'($*)) dnl
')
########################################
##
## Execute newrole in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_newrole',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_newrole'($*)) dnl
gen_require(`
type newrole_t, newrole_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,newrole_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_newrole'($*)) dnl
')
########################################
##
## Do not audit the caller attempts to send
## a signal to newrole.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_signal_newrole',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_signal_newrole'($*)) dnl
gen_require(`
type newrole_t;
')
dontaudit $1 newrole_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_signal_newrole'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to newrole.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_sigchld_newrole',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_sigchld_newrole'($*)) dnl
gen_require(`
type newrole_t;
')
allow $1 newrole_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_sigchld_newrole'($*)) dnl
')
########################################
##
## Inherit and use newrole file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_use_newrole_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_use_newrole_fds'($*)) dnl
gen_require(`
type newrole_t;
')
allow $1 newrole_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_use_newrole_fds'($*)) dnl
')
#######################################
##
## Execute restorecon in the restorecon domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_restorecon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_restorecon'($*)) dnl
gen_require(`
type restorecon_t, restorecon_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,restorecon_exec_t,restorecon_t)
allow $1 restorecon_t:fd use;
allow restorecon_t $1:fd use;
allow restorecon_t $1:fifo_file rw_file_perms;
allow restorecon_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_restorecon'($*)) dnl
')
########################################
##
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the restorecon domain.
##
##
##
##
## The type of the terminal allow the restorecon domain to use.
##
##
##
#
define(`seutil_run_restorecon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_restorecon'($*)) dnl
gen_require(`
type restorecon_t;
')
seutil_domtrans_restorecon($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_restorecon'($*)) dnl
')
########################################
##
## Execute restorecon in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_exec_restorecon',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_restorecon'($*)) dnl
gen_require(`
type restorecon_t, restorecon_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,restorecon_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_restorecon'($*)) dnl
')
########################################
##
## Execute run_init in the run_init domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_runinit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_runinit'($*)) dnl
gen_require(`
type run_init_t, run_init_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,run_init_exec_t,run_init_t)
allow $1 run_init_t:fd use;
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_file_perms;
allow run_init_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_runinit'($*)) dnl
')
########################################
##
## Execute init scripts in the run_init domain.
##
##
##
## Execute init scripts in the run_init domain.
## This is used for the Gentoo integrated run_init.
##
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_init_script_domtrans_runinit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_init_script_domtrans_runinit'($*)) dnl
gen_require(`
type run_init_t;
')
init_script_file_domtrans($1,run_init_t)
allow $1 run_init_t:fd use;
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_file_perms;
allow run_init_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_init_script_domtrans_runinit'($*)) dnl
')
########################################
##
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the run_init domain.
##
##
##
##
## The type of the terminal allow the run_init domain to use.
##
##
##
#
define(`seutil_run_runinit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_runinit'($*)) dnl
gen_require(`
type run_init_t;
role system_r;
')
seutil_domtrans_runinit($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
allow $2 system_r;
auth_run_upd_passwd($1,$2,$3)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_runinit'($*)) dnl
')
########################################
##
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
##
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
## This is used for the Gentoo integrated run_init.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the run_init domain.
##
##
##
##
## The type of the terminal allow the run_init domain to use.
##
##
#
define(`seutil_init_script_run_runinit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_init_script_run_runinit'($*)) dnl
gen_require(`
type run_init_t;
role system_r;
')
seutil_init_script_domtrans_runinit($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
allow $2 system_r;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_init_script_run_runinit'($*)) dnl
')
########################################
##
## Inherit and use run_init file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_use_runinit_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_use_runinit_fds'($*)) dnl
gen_require(`
type run_init_t;
')
allow $1 run_init_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_use_runinit_fds'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_setfiles',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles'($*)) dnl
gen_require(`
type setfiles_t, setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,setfiles_exec_t,setfiles_t)
allow $1 setfiles_t:fd use;
allow setfiles_t $1:fd use;
allow setfiles_t $1:fifo_file rw_file_perms;
allow setfiles_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the setfiles domain.
##
##
##
##
## The type of the terminal allow the setfiles domain to use.
##
##
##
#
define(`seutil_run_setfiles',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles'($*)) dnl
gen_require(`
type setfiles_t;
')
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_setfiles'($*)) dnl
')
########################################
##
## Execute setfiles in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_setfiles',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_setfiles'($*)) dnl
gen_require(`
type setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
can_exec($1,setfiles_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_setfiles'($*)) dnl
')
########################################
##
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_search_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
dontaudit $1 selinux_config_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_config'($*)) dnl
')
########################################
##
## Do not audit attempts to read the SELinux
## userland configuration (/etc/selinux).
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
dontaudit $1 selinux_config_t:dir search;
dontaudit $1 selinux_config_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_config'($*)) dnl
')
########################################
##
## Read the general SELinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms;
allow $1 selinux_config_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_config'($*)) dnl
')
########################################
##
## Read and write the general SELinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_rw_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
allow $1 selinux_config_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_selinux_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_selinux_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir { rmdir rw_dir_perms };
allow $1 selinux_config_t:file manage_file_perms;
allow $1 selinux_config_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_selinux_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_config_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_config_dirs'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_config_dirs'($*)) dnl
')
########################################
##
## Search the policy directory with default_context files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_search_default_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_search_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_search_default_contexts'($*)) dnl
')
########################################
##
## Read the default_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_default_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 default_context_t:dir list_dir_perms;
allow $1 default_context_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_default_contexts'($*)) dnl
')
########################################
##
## Create, read, write, and delete the default_contexts files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_default_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 default_context_t:dir manage_dir_perms;
allow $1 default_context_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_default_contexts'($*)) dnl
')
########################################
##
## Read the file_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_file_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t, file_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
read_files_pattern($1,file_context_t,file_context_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_file_contexts'($*)) dnl
')
########################################
##
## dontaudit Read the file_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_dontaudit_read_file_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t, file_context_t;
')
files_search_etc($1)
dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
dontaudit $1 file_context_t:dir search_dir_perms;
dontaudit $1 file_context_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_file_contexts'($*)) dnl
')
########################################
##
## Read and write the file_contexts files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_rw_file_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, file_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file rw_file_perms;
allow $1 file_context_t:lnk_file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_file_contexts'($*)) dnl
')
########################################
##
## Create, read, write, and delete the file_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_file_contexts',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, file_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
allow $1 file_context_t:dir rw_dir_perms;
allow $1 file_context_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_file_contexts'($*)) dnl
')
########################################
##
## Read the SELinux binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_bin_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_bin_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_bin_policy'($*)) dnl
')
########################################
##
## Create the SELinux binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_create_bin_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_create_bin_policy'($*)) dnl
gen_require(`
# attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir ra_dir_perms;
allow $1 policy_config_t:file { getattr create write };
# typeattribute $1 can_write_binary_policy;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_create_bin_policy'($*)) dnl
')
########################################
##
## Allow the caller to relabel a file to the binary policy type.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_relabelto_bin_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_relabelto_bin_policy'($*)) dnl
gen_require(`
attribute can_relabelto_binary_policy;
type policy_config_t;
')
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_relabelto_bin_policy'($*)) dnl
')
########################################
##
## Create, read, write, and delete the SELinux
## binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_bin_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_bin_policy'($*)) dnl
gen_require(`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_bin_policy'($*)) dnl
')
########################################
##
## Read SELinux policy source files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_src_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_src_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_src_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir r_dir_perms;
allow $1 policy_src_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_src_policy'($*)) dnl
')
########################################
##
## Create, read, write, and delete SELinux
## policy source files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_src_policy',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_src_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_src_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_src_policy'($*)) dnl
')
########################################
##
## Execute a domain transition to run semanage.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_semanage',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_semanage'($*)) dnl
gen_require(`
type semanage_t, semanage_exec_t;
')
mls_rangetrans_source($1)
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,semanage_exec_t,semanage_t)
allow $1 semanage_t:fd use;
allow semanage_t $1:fd use;
allow semanage_t $1:fifo_file rw_file_perms;
allow semanage_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_semanage'($*)) dnl
')
########################################
##
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the checkpolicy domain.
##
##
##
##
## The type of the terminal allow the semanage domain to use.
##
##
##
#
define(`seutil_run_semanage',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_semanage'($*)) dnl
gen_require(`
type semanage_t;
')
seutil_domtrans_semanage($1)
role $2 types semanage_t;
allow semanage_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_semanage'($*)) dnl
')
########################################
##
## Full management of the semanage
## module store.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_module_store',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_module_store'($*)) dnl
gen_require(`
type selinux_config_t, semanage_store_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir rw_dir_perms;
type_transition $1 selinux_config_t:dir semanage_store_t;
allow $1 semanage_store_t:dir create_dir_perms;
allow $1 semanage_store_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_module_store'($*)) dnl
')
#######################################
##
## Get read lock on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_get_semanage_read_lock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_read_lock'($*)) dnl
gen_require(`
type selinux_config_t, semanage_read_lock_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 semanage_read_lock_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_get_semanage_read_lock'($*)) dnl
')
#######################################
##
## Get trans lock on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_get_semanage_trans_lock',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_trans_lock'($*)) dnl
gen_require(`
type selinux_config_t, semanage_trans_lock_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 semanage_trans_lock_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_get_semanage_trans_lock'($*)) dnl
')
#######################################
##
## Make the specified domain be a SELinux management gui
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_semanage_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `seutil_semanage_domain'($*)) dnl
gen_require(`
type policy_config_t, semanage_tmp_t, semanage_exec_t;
')
allow $1 self:capability { sys_resource dac_override };
dontaudit $1 self:capability sys_tty_config;
allow $1 self:process signal;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket create_socket_perms;
logging_send_audit_msgs($1)
allow $1 self:fifo_file rw_file_perms;
allow $1 policy_config_t:file { read write };
allow $1 semanage_tmp_t:dir create_dir_perms;
allow $1 semanage_tmp_t:file create_file_perms;
files_tmp_filetrans($1, semanage_tmp_t, { file dir })
auth_use_nsswitch($1)
can_exec($1,semanage_exec_t)
kernel_read_system_state($1)
kernel_read_kernel_sysctls($1)
fs_list_inotifyfs($1)
corecmd_exec_bin($1)
corecmd_exec_sbin($1)
corecmd_exec_shell($1)
init_use_fds($1)
init_use_script_fds($1)
init_exec_script_files($1)
init_dontaudit_use_script_ptys($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_search_all_domains_state($1)
files_read_etc_files($1)
files_read_etc_runtime_files($1)
files_read_usr_files($1)
files_list_pids($1)
# Modules often created in /tmp dir
files_read_all_tmp_files($1)
mls_file_write_down($1)
mls_rangetrans_target($1)
mls_file_read_up($1)
selinux_validate_context($1)
selinux_get_enforce_mode($1)
# for setsebool:
selinux_set_boolean($1)
term_use_all_terms($1)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch($1)
# Admins are creating pp files in random locations
auth_read_all_files_except_shadow($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
libs_use_lib_files($1)
locallogin_use_fds($1)
logging_send_syslog_msg($1)
miscfiles_read_localization($1)
seutil_manage_file_contexts($1)
seutil_manage_selinux_config($1)
seutil_domtrans_setfiles($1)
seutil_domtrans_loadpolicy($1)
seutil_read_config($1)
seutil_manage_bin_policy($1)
seutil_use_newrole_fds($1)
seutil_manage_module_store($1)
seutil_get_semanage_trans_lock($1)
seutil_get_semanage_read_lock($1)
# netfilter_contexts:
seutil_manage_default_contexts($1)
userdom_search_sysadm_home_dirs($1)
userdom_dontaudit_write_unpriv_user_home_content_files($1)
optional_policy(`
consoletype_exec($1)
')
optional_policy(`
xserver_dontaudit_use_xdm_fds($1)
xserver_dontaudit_rw_xdm_pipes($1)
')
ifdef(`targeted_policy',`
# Handle pp files created in homedir and /tmp
files_read_generic_tmp_files($1)
userdom_read_generic_user_home_content_files($1)
unconfined_dontaudit_read_pipes($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `seutil_semanage_domain'($*)) dnl
')
## SELinux MLS/MCS label translation service.
#######################################
##
## Allow a domain to translate contexts.
##
##
##
## Domain allowed access.
##
##
#
define(`setrans_translate_context',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `setrans_translate_context'($*)) dnl
gen_require(`
type setrans_t, setrans_var_run_t;
')
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 setrans_t:context translate;
allow $1 setrans_t:unix_stream_socket connectto;
allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
allow $1 setrans_var_run_t:sock_file rw_file_perms;
allow $1 setrans_var_run_t:dir search_dir_perms;
files_list_pids($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `setrans_translate_context'($*)) dnl
')
## Policy for network configuration: ifconfig and dhcp client.
#######################################
##
## Execute dhcp client in dhcpc domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_domtrans_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t, dhcpc_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
allow $1 dhcpc_t:fd use;
allow dhcpc_t $1:fd use;
allow dhcpc_t $1:fifo_file rw_file_perms;
allow dhcpc_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_domtrans_dhcpc'($*)) dnl
')
########################################
##
## Execute DHCP clients in the dhcpc domain, and
## allow the specified role the dhcpc domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the clock domain.
##
##
##
##
## The type of the terminal allow the clock domain to use.
##
##
##
#
define(`sysnet_run_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_run_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
allow dhcpc_t $3:chr_file { getattr read write ioctl };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_run_dhcpc'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the dhcp client.
##
##
##
## The domain sending the SIGCHLD.
##
##
#
define(`sysnet_sigchld_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_sigchld_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_sigchld_dhcpc'($*)) dnl
')
########################################
##
## Send a kill signal to the dhcp client.
##
##
##
## The domain sending the SIGKILL.
##
##
##
#
define(`sysnet_kill_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_kill_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigkill;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_kill_dhcpc'($*)) dnl
')
########################################
##
## Send a SIGSTOP signal to the dhcp client.
##
##
##
## The domain sending the SIGSTOP.
##
##
#
define(`sysnet_sigstop_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_sigstop_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigstop;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_sigstop_dhcpc'($*)) dnl
')
########################################
##
## Send a null signal to the dhcp client.
##
##
##
## The domain sending the null signal.
##
##
#
define(`sysnet_signull_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signull_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signull_dhcpc'($*)) dnl
')
########################################
##
## Send a generic signal to the dhcp client.
##
##
##
## The domain sending the signal.
##
##
##
#
define(`sysnet_signal_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signal_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signal_dhcpc'($*)) dnl
')
########################################
##
## Send and receive messages from
## dhcpc over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_dbus_chat_dhcpc',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dbus_chat_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
class dbus send_msg;
')
allow $1 dhcpc_t:dbus send_msg;
allow dhcpc_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dbus_chat_dhcpc'($*)) dnl
')
########################################
##
## Read and write dhcp configuration files.
##
##
##
## The domain allowed access.
##
##
#
define(`sysnet_rw_dhcp_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_rw_dhcp_config'($*)) dnl
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_rw_dhcp_config'($*)) dnl
')
########################################
##
## Read dhcp client state files.
##
##
##
## The domain allowed access.
##
##
#
define(`sysnet_read_dhcpc_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_state'($*)) dnl
')
#######################################
##
## Delete the dhcp client state files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_delete_dhcpc_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_state'($*)) dnl
')
#######################################
##
## Allow network init to read network config files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_config'($*)) dnl
')
#######################################
##
## Write network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_write_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_write_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file write_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_write_config'($*)) dnl
')
#######################################
##
## Do not audit attempts to read network config files.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_read_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_read_config'($*)) dnl
gen_require(`
type net_conf_t;
')
dontaudit $1 net_conf_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_read_config'($*)) dnl
')
#######################################
##
## Create files in /etc with the type used for
## the network config files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_etc_filetrans_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_etc_filetrans_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1,net_conf_t,file)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_etc_filetrans_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete network config files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_manage_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_config'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 net_conf_t:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_config'($*)) dnl
')
#######################################
##
## Read the dhcp client pid file.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_read_dhcpc_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
files_list_pids($1)
allow $1 dhcpc_var_run_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_pid'($*)) dnl
')
#######################################
##
## Delete the dhcp client pid file.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_delete_dhcpc_pid',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
allow $1 dhcpc_var_run_t:file unlink;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_pid'($*)) dnl
')
#######################################
##
## Execute ifconfig in the ifconfig domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sysnet_domtrans_ifconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t, ifconfig_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
allow $1 ifconfig_t:fd use;
allow ifconfig_t $1:fd use;
allow ifconfig_t $1:fifo_file rw_file_perms;
allow ifconfig_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_domtrans_ifconfig'($*)) dnl
')
########################################
##
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to be allowed the ifconfig domain.
##
##
##
##
## The type of the terminal allow the ifconfig domain to use.
##
##
##
#
define(`sysnet_run_ifconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_run_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
corecmd_search_sbin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_run_ifconfig'($*)) dnl
')
#######################################
##
## Execute ifconfig in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_exec_ifconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_exec_ifconfig'($*)) dnl
gen_require(`
type ifconfig_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,ifconfig_exec_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_exec_ifconfig'($*)) dnl
')
########################################
##
## Read the DHCP configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_read_dhcp_config',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcp_config'($*)) dnl
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:dir search;
allow $1 dhcp_etc_t:file { getattr read };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcp_config'($*)) dnl
')
########################################
##
## Search the DHCP state data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_search_dhcp_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcp_state'($*)) dnl
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:dir search;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_search_dhcp_state'($*)) dnl
')
########################################
##
## Create DHCP state data.
##
##
##
## Create DHCP state data.
##
##
## This is added for DHCP server, as
## the server and client put their state
## files in the same directory.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`sysnet_dhcp_state_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dhcp_state_filetrans'($*)) dnl
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:dir rw_dir_perms;
type_transition $1 dhcp_state_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dhcp_state_filetrans'($*)) dnl
')
########################################
##
## Perform a DNS name resolution.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_dns_name_resolve',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dns_name_resolve'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
optional_policy(`
avahi_stream_connect($1)
')
optional_policy(`
nscd_socket_use($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dns_name_resolve'($*)) dnl
')
########################################
##
## Connect and use a LDAP server.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_use_ldap',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_use_ldap'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
# LDAP Configuration using encrypted requires
dev_read_urand($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_use_ldap'($*)) dnl
')
########################################
##
## Connect and use remote port mappers.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_use_portmap',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_use_portmap'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_portmap_port($1)
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_use_portmap'($*)) dnl
')
########################################
##
## Send a generic signal to the ifconfig client.
##
##
##
## The domain sending the signal.
##
##
##
#
define(`sysnet_signal_ifconfig',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signal_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signal_ifconfig'($*)) dnl
')
## policy for tzdata
########################################
##
## Execute a domain transition to run tzdata.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tzdata_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `tzdata_domtrans'($*)) dnl
gen_require(`
type tzdata_t, tzdata_exec_t;
')
domain_auto_trans($1,tzdata_exec_t,tzdata_t)
allow tzdata_t $1:fd use;
allow tzdata_t $1:fifo_file rw_file_perms;
allow tzdata_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `tzdata_domtrans'($*)) dnl
')
## Policy for udev.
########################################
##
## Execute udev in the udev domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`udev_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_domtrans'($*)) dnl
gen_require(`
type udev_t, udev_exec_t;
')
domain_auto_trans($1, udev_exec_t, udev_t)
allow $1 udev_t:fd use;
allow udev_t $1:fd use;
allow udev_t $1:fifo_file rw_file_perms;
allow udev_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_domtrans'($*)) dnl
')
########################################
##
## Execute a udev helper in the udev domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`udev_helper_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_helper_domtrans'($*)) dnl
gen_require(`
type udev_t, udev_helper_exec_t;
')
domain_auto_trans($1, udev_helper_exec_t, udev_t)
allow $1 udev_t:fd use;
allow udev_t $1:fd use;
allow udev_t $1:fifo_file rw_file_perms;
allow udev_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_helper_domtrans'($*)) dnl
')
########################################
##
## Allow process to read udev process state.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_read_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_read_state'($*)) dnl
gen_require(`
type udev_t;
')
kernel_search_proc($1)
allow $1 udev_t:file r_file_perms;
allow $1 udev_t:lnk_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_read_state'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit a
## udev file descriptor.
##
##
##
## Domain to not audit.
##
##
#
define(`udev_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_use_fds'($*)) dnl
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## to a udev unix datagram socket.
##
##
##
## Domain to not audit.
##
##
#
define(`udev_dontaudit_rw_dgram_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_rw_dgram_sockets'($*)) dnl
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:unix_dgram_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_rw_dgram_sockets'($*)) dnl
')
########################################
##
## Allow process to read list of devices.
##
##
##
## The type of the process performing this action.
##
##
#
define(`udev_read_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_read_db'($*)) dnl
gen_require(`
type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:dir list_dir_perms;
read_files_pattern($1, udev_tbl_t, udev_tbl_t)
read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_read_db'($*)) dnl
')
########################################
##
## Allow process to modify list of devices.
##
##
##
## The type of the process performing this action.
##
##
#
define(`udev_rw_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_rw_db'($*)) dnl
gen_require(`
type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_rw_db'($*)) dnl
')
########################################
##
## dontaudit process read list of devices.
##
##
##
## The type of the process performing this action.
##
##
#
define(`udev_dontaudit_search_db',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_search_db'($*)) dnl
gen_require(`
type udev_tbl_t;
')
dontaudit $1 udev_tbl_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_search_db'($*)) dnl
')
## The unconfined domain.
########################################
##
## Make the specified domain unconfined.
##
##
##
## Domain to make unconfined.
##
##
#
define(`unconfined_domain_noaudit',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domain_noaudit'($*)) dnl
gen_require(`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
allow $1 self:capability *;
allow $1 self:fifo_file create_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
# Userland object managers
allow $1 self:nscd *;
allow $1 self:dbus *;
allow $1 self:passwd *;
allow $1 self:association *;
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
domain_mmap_low_type($1)
tunable_policy(`allow_unconfined_mmap_low',`
domain_mmap_low($1)
')
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
')
tunable_policy(`allow_execmem',`
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect;
# execstack implies execmem;
allow $1 self:process { execstack execmem };
# auditallow $1 self:process execstack;
')
tunable_policy(`allow_unconfined_execmem_dyntrans',`
allow $1 self:process dyntransition;
')
optional_policy(`
auth_unconfined($1)
')
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
')
optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1)
')
optional_policy(`
nscd_unconfined($1)
')
optional_policy(`
seutil_create_bin_policy($1)
seutil_relabelto_bin_policy($1)
')
optional_policy(`
storage_unconfined($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domain_noaudit'($*)) dnl
')
########################################
##
## Make the specified domain unconfined and
## audit executable memory and executable heap
## usage.
##
##
##
## Domain to make unconfined.
##
##
#
define(`unconfined_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domain'($*)) dnl
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
# Turn off this audit for FC5
# tunable_policy(`allow_execmem',`
# auditallow $1 self:process execmem;
# ')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domain'($*)) dnl
')
########################################
##
## Transition to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domtrans'($*)) dnl
gen_require(`
type unconfined_t, unconfined_exec_t;
')
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
allow $1 unconfined_t:fd use;
allow unconfined_t $1:fd use;
allow unconfined_t $1:fifo_file rw_file_perms;
allow unconfined_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domtrans'($*)) dnl
')
########################################
##
## Execute specified programs in the unconfined domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the unconfined domain.
##
##
##
##
## The type of the terminal allow the unconfined domain to use.
##
##
#
define(`unconfined_run',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_run'($*)) dnl
gen_require(`
type unconfined_t;
')
unconfined_domtrans($1)
role $2 types unconfined_t;
allow unconfined_t $3:chr_file rw_term_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_run'($*)) dnl
')
########################################
##
## Transition to the unconfined domain by executing a shell.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_shell_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_shell_domtrans'($*)) dnl
gen_require(`
type unconfined_t;
')
corecmd_shell_domtrans($1,unconfined_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_shell_domtrans'($*)) dnl
')
########################################
##
## Allow unconfined to execute the specified program in
## the specified domain.
##
##
##
## Allow unconfined to execute the specified program in
## the specified domain.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
##
##
## Domain entry point file.
##
##
#
define(`unconfined_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domtrans_to'($*)) dnl
gen_require(`
type unconfined_t;
')
domain_auto_trans(unconfined_t,$2,$1)
allow $1 unconfined_t:fd use;
allow $1 unconfined_t:fifo_file rw_file_perms;
allow $1 unconfined_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domtrans_to'($*)) dnl
')
########################################
##
## Inherit file descriptors from the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_use_fds'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_sigchld',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_sigchld'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_sigchld'($*)) dnl
')
########################################
##
## Send a SIGNULL signal to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_signull',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_signull'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signull;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_signull'($*)) dnl
')
########################################
##
## Send generic signals to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_signal',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_signal'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_signal'($*)) dnl
')
########################################
##
## Read unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_read_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_read_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dontaudit_read_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file read;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_pipes'($*)) dnl
')
########################################
##
## Read and write unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_rw_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_rw_pipes'($*)) dnl
')
########################################
##
## dontaudit Read and write unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dontaudit_rw_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file rw_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Connect to the unconfined domain using
## a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_stream_connect'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_stream_connect'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
##
##
##
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
##
##
## This interface was added due to a broken
## symptom in ldconfig.
##
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_dontaudit_rw_tcp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:tcp_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Create keys for the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_create_keys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_create_keys'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key create;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_create_keys'($*)) dnl
')
########################################
##
## Send messages to the unconfined domain over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_send',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_send'($*)) dnl
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_send'($*)) dnl
')
########################################
##
## Send and receive messages from
## unconfined_t over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_chat',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_chat'($*)) dnl
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
allow unconfined_t $1:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_chat'($*)) dnl
')
########################################
##
## Add an alias type to the unconfined domain.
##
##
##
## Add an alias type to the unconfined domain.
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## New alias of the unconfined domain.
##
##
#
define(`unconfined_alias_domain',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_alias_domain'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type unconfined_t;
')
typealias unconfined_t alias $1;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_alias_domain'($*)) dnl
')
########################################
##
## Add an alias type to the unconfined execmem
## program file type.
##
##
##
## Add an alias type to the unconfined execmem
## program file type.
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## New alias of the unconfined execmem program type.
##
##
#
define(`unconfined_execmem_alias_program',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_execmem_alias_program'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type unconfined_execmem_exec_t;
')
typealias unconfined_execmem_exec_t alias $1;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_execmem_alias_program'($*)) dnl
')
########################################
##
## Connect to the the unconfined DBUS
## for service (acquire_svc).
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_connect'($*)) dnl
gen_require(`
type unconfined_t;
class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_connect'($*)) dnl
')
########################################
##
## Allow apps to set rlimits on userdomain
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_set_rlimitnh',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `unconfined_set_rlimitnh'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process rlimitinh;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `unconfined_set_rlimitnh'($*)) dnl
')
## Policy for user domains
#######################################
##
## The template containing the most basic rules common to all users.
##
##
##
## The template containing the most basic rules common to all users.
##
##
## This template creates a user domain, types, and
## rules for the user's tty and pty.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_base_user_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_base_user_template'($*)) dnl
gen_require(`
class context contains;
attribute userdomain;
')
attribute $1_file_type;
type $1_t, userdomain;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
corecmd_sbin_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
type $1_devpts_t;
term_user_pty($1_t,$1_devpts_t)
files_type($1_devpts_t)
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
kernel_read_kernel_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
kernel_dontaudit_getattr_unlabeled_pipes($1_t)
kernel_dontaudit_getattr_unlabeled_sockets($1_t)
kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
domain_dontaudit_getattr_all_domains($1_t)
domain_dontaudit_getsession_all_domains($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
files_read_world_readable_files($1_t)
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
files_dontaudit_getattr_non_security_files($1_t)
files_dontaudit_getattr_non_security_symlinks($1_t)
files_dontaudit_getattr_non_security_pipes($1_t)
files_dontaudit_getattr_non_security_sockets($1_t)
files_dontaudit_getattr_non_security_blk_files($1_t)
files_dontaudit_getattr_non_security_chr_files($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_exec_ld_so($1_t)
miscfiles_read_localization($1_t)
miscfiles_read_certs($1_t)
sysnet_read_config($1_t)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
optional_policy(`
ssh_rw_stream_sockets($1_t)
')
optional_policy(`
consoletype_exec($1_t)
')
optional_policy(`
hostname_exec($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_base_user_template'($*)) dnl
')
#######################################
##
## The template for creating a home directory
## that the user has read-only access.
##
##
##
## The template for creating a home directory
## that the user has read-only access.
##
##
## This does not allow execute access.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_ro_home_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_ro_home_template'($*)) dnl
gen_require(`
attribute home_type, home_dir_type, $1_file_type;
')
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
files_mountpoint($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
files_mountpoint($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
files_poly_member($1_home_dir_t)
##############################
#
# User home directory file rules
#
allow $1_file_type $1_home_t:filesystem associate;
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
##############################
#
# Domain access to home dir
#
# read-only home directory
allow $1_t $1_home_t:file { read_file_perms entrypoint };
allow $1_t $1_home_t:lnk_file read_file_perms;
allow $1_t $1_home_t:dir list_dir_perms;
allow $1_t $1_home_t:sock_file read_file_perms;
allow $1_t $1_home_t:fifo_file read_file_perms;
allow $1_t $1_home_dir_t:dir list_dir_perms;
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs_dirs($1_t)
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
fs_read_nfs_named_pipes($1_t)
',`
fs_dontaudit_read_nfs_dirs($1_t)
fs_dontaudit_read_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs_dirs($1_t)
fs_read_cifs_files($1_t)
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
fs_read_cifs_named_pipes($1_t)
',`
fs_dontaudit_list_cifs_dirs($1_t)
fs_dontaudit_read_cifs_files($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_ro_home_template'($*)) dnl
')
#######################################
##
## The template for creating a home directory
## that the user has full access.
##
##
##
## The template for creating a home directory
## that the user has full access.
##
##
## This does not allow execute access.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_manage_home_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_home_template'($*)) dnl
gen_require(`
attribute home_type, home_dir_type, $1_file_type;
')
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
##############################
#
# User home directory file rules
#
allow $1_file_type $1_home_t:filesystem associate;
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
##############################
#
# Domain access to home dir
#
# full control of the home directory
allow $1_t $1_home_t:file { manage_file_perms relabelfrom relabelto entrypoint };
allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
allow $1_t $1_home_t:dir { manage_dir_perms relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { manage_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { manage_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir { manage_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
fs_manage_nfs_symlinks($1_t)
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
',`
fs_dontaudit_manage_nfs_dirs($1_t)
fs_dontaudit_manage_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
fs_manage_cifs_symlinks($1_t)
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
',`
fs_dontaudit_manage_cifs_dirs($1_t)
fs_dontaudit_manage_cifs_files($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_home_template'($*)) dnl
')
#######################################
##
## The template for allowing the user
## to execute files in their home directory.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_exec_home_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_home_template'($*)) dnl
can_exec($1_t,$1_home_t)
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_home_template'($*)) dnl
')
#######################################
##
## The template for polyinstantiating
## a user home directory.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_poly_home_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_poly_home_template'($*)) dnl
type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
files_poly($1_home_dir_t)
files_poly_parent($1_home_dir_t)
files_poly_parent($1_home_t)
files_poly_member($1_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_poly_home_template'($*)) dnl
')
#######################################
##
## The template for full access to the temporary directories.
##
##
##
## The template for full access to the temporary directories.
## This creates a derived type for the user
## temporary type. Execute access is not given.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_manage_tmp_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_template'($*)) dnl
gen_require(`
attribute $1_file_type;
')
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
allow $1_t $1_tmp_t:dir manage_dir_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:sock_file manage_file_perms;
allow $1_t $1_tmp_t:fifo_file manage_file_perms;
files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_template'($*)) dnl
')
#######################################
##
## The template for execute access to the user temporary files.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_exec_tmp_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_tmp_template'($*)) dnl
can_exec($1_t,$1_tmp_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_tmp_template'($*)) dnl
')
#######################################
##
## The template for a polyinstantiated temporary directory.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_poly_tmp_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_poly_tmp_template'($*)) dnl
files_poly_member_tmp($1_t,tmp_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_poly_tmp_template'($*)) dnl
')
#######################################
##
## The template for creating a tmpfs type
## that the user has full access.
##
##
##
## The template for creating a tmpfs type
## that the user has full access.
##
##
## This does not allow execute access.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_manage_tmpfs_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_template'($*)) dnl
gen_require(`
attribute $1_file_type;
')
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
allow $1_t $1_tmpfs_t:dir rw_dir_perms;
allow $1_t $1_tmpfs_t:file manage_file_perms;
allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_template'($*)) dnl
')
#######################################
##
## The template for creating a set of types
## for untrusted content.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_untrusted_content_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_untrusted_content_template'($*)) dnl
gen_require(`
attribute $1_file_type;
attribute untrusted_content_type, untrusted_content_tmp_type;
type $1_t;
')
# types for network-obtained content
type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
files_type($1_untrusted_content_t)
files_poly_member($1_untrusted_content_t)
type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
files_tmp_file($1_untrusted_content_tmp_t)
# Allow user to relabel untrusted content
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabelto relabelfrom };
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
tunable_policy(`read_untrusted_content',`
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
',`
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_untrusted_content_template'($*)) dnl
')
#######################################
##
## The template allowing the user to execute
## generic programs, such as those found in /bin,
## /sbin, /usr/bin, and /usr/sbin.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_exec_generic_pgms_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_generic_pgms_template'($*)) dnl
gen_require(`
type $1_t;
')
corecmd_exec_bin($1_t)
corecmd_exec_sbin($1_t)
corecmd_exec_ls($1_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_generic_pgms_template'($*)) dnl
')
#######################################
##
## The template allowing the user basic
## network permissions
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_basic_networking_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_basic_networking_template'($*)) dnl
gen_require(`
type $1_t;
')
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
ifdef(`enable_mls',`
# netlabel/CIPSO labeled networking
corenet_tcp_recv_netlabel($1_t)
corenet_udp_recv_netlabel($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_basic_networking_template'($*)) dnl
')
#######################################
##
## The template for creating a user xwindows client.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_xwindows_client_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_xwindows_client_template'($*)) dnl
gen_require(`
type $1_t, $1_tmpfs_t;
')
optional_policy(`
dev_rw_xserver_misc($1_t)
dev_rw_power_management($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
dev_write_misc($1_t)
# open office is looking for the following
dev_getattr_agp_dev($1_t)
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
xserver_user_client_template($1,$1_t,$1_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($1_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_xwindows_client_template'($*)) dnl
')
#######################################
##
## The template for allowing the user to change passwords.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_change_password_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_change_password_template'($*)) dnl
gen_require(`
type $1_t, $1_devpts_t, $1_tty_device_t;
role $1_r;
')
optional_policy(`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_change_password_template'($*)) dnl
')
#######################################
##
## The template for allowing the user to change roles.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_role_change_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_template'($*)) dnl
gen_require(`
role $1_r, $2_r;
type $1_t, $2_t;
type $1_devpts_t, $2_devpts_t;
type $1_tty_device_t, $2_tty_device_t;
')
allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_template'($*)) dnl
')
#######################################
##
## The template containing rules common to unprivileged
## users and administrative users.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_common_user_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_common_user_template'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
userdom_base_user_template($1)
userdom_manage_home_template($1)
userdom_exec_home_template($1)
userdom_manage_tmp_template($1)
userdom_exec_tmp_template($1)
userdom_manage_tmpfs_template($1)
userdom_untrusted_content_template($1)
userdom_basic_networking_template($1)
userdom_exec_generic_pgms_template($1)
userdom_xwindows_client_template($1)
userdom_change_password_template($1)
##############################
#
# User domain Local policy
#
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
allow $1_t self:context contains;
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t unpriv_userdomain:fd use;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_net_sysctls($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctls($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t)
dev_read_sysfs($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
dev_write_sound($1_t)
dev_read_sound($1_t)
dev_read_sound_mixer($1_t)
dev_write_sound_mixer($1_t)
domain_use_interactive_fds($1_t)
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
files_search_mnt($1_t)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_t)
files_read_var_symlinks($1_t)
files_read_generic_spool($1_t)
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
fs_list_inotifyfs($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
auth_dontaudit_write_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_read_key($1_t)
auth_run_upd_passwd($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
init_read_utmp($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_write_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_t)
init_dontaudit_use_script_fds($1_t)
libs_exec_lib_files($1_t)
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_man_pages($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
seutil_read_config($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
',`
files_dontaudit_list_default($1_t)
files_dontaudit_read_default_files($1_t)
')
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_user_ttys($1_t)
')
optional_policy(`
alsa_read_rw_config($1_t)
')
optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
optional_policy(`
canna_stream_connect($1_t)
')
optional_policy(`
cups_stream_connect_ptal($1_t)
cups_stream_connect($1_t)
')
optional_policy(`
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
evolution_dbus_chat($1,$1_t)
evolution_alarm_dbus_chat($1,$1_t)
')
optional_policy(`
cups_dbus_chat_config($1_t)
')
optional_policy(`
hal_dbus_chat($1_t)
')
optional_policy(`
networkmanager_dbus_chat($1_t)
')
')
optional_policy(`
inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
optional_policy(`
inn_read_config($1_t)
inn_read_news_lib($1_t)
inn_read_news_spool($1_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
modutils_read_module_config($1_t)
')
optional_policy(`
mta_rw_spool($1_t)
')
optional_policy(`
nis_use_ypbind($1_t)
')
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
')
')
optional_policy(`
nscd_socket_use($1_t)
')
optional_policy(`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_t)
')
optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
optional_policy(`
quota_dontaudit_getattr_db($1_t)
')
optional_policy(`
resmgr_stream_connect($1_t)
')
optional_policy(`
rpc_dontaudit_getattr_exports($1_t)
rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`
rpm_read_db($1_t)
rpm_dontaudit_manage_db($1_t)
')
optional_policy(`
samba_stream_connect_winbind($1_t)
')
optional_policy(`
slrnpull_search_spool($1_t)
')
optional_policy(`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_common_user_template'($*)) dnl
')
#######################################
##
## The template for creating a unprivileged user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_privhome_user_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_privhome_user_template'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
# privileged home directory writers
manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_privhome_user_template'($*)) dnl
')
#######################################
##
## The template for creating a unprivileged user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_unpriv_user_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_unpriv_user_template'($*)) dnl
gen_require(`
attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_common_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
typeattribute $1_home_dir_t user_home_dir_type;
typeattribute $1_home_t user_home_type;
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
userdom_poly_home_template($1)
userdom_poly_tmp_template($1)
##############################
#
# Local policy
#
# privileged home directory writers
allow privhome $1_home_dir_t:dir rw_dir_perms;
allow privhome $1_home_t:file manage_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
allow privhome $1_home_t:dir manage_dir_perms;
allow privhome $1_home_t:sock_file manage_file_perms;
allow privhome $1_home_t:fifo_file manage_file_perms;
type_transition privhome $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
corecmd_exec_all_executables($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
files_exec_usr_files($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
',`
storage_raw_read_removable_device($1_t)
')
')
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
corenet_tcp_bind_generic_port($1_t)
')
optional_policy(`
kerberos_use($1_t)
kerberos_524_connect($1_t)
')
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
optional_policy(`
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
ifdef(`TODO',`
ifdef(`xdm.te', `
# this should cause the .xsession-errors file to be written to /tmp
dontaudit xdm_t $1_home_t:file rw_file_perms;
')
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
dontaudit $1_t sysadm_home_t:file { read append };
') dnl end TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_unpriv_user_template'($*)) dnl
')
#######################################
##
## The template for creating an administrative user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
## The privileges given to administrative users are:
##
## - Raw disk access
## - Set all sysctls
## - All kernel ring buffer controls
## - Create, read, write, and delete all files but shadow
## - Manage source and binary format SELinux policy
## - Run insmod
##
##
##
##
##
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
##
##
#
define(`userdom_admin_user_template',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_admin_user_template'($*)) dnl
gen_require(`
attribute admin_terminal, privhome;
class passwd { passwd chfn chsh rootok crontab };
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_common_user_template($1)
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
typeattribute $1_devpts_t admin_terminal;
typeattribute $1_tty_device_t admin_terminal;
##############################
#
# $1_t local policy
#
allow $1_t self:capability ~sys_module;
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
allow $1_t self:passwd { passwd chfn chsh };
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctls($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_rw_tun_tap_dev($1_t)
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
# for lsof
dev_getattr_mtrr_dev($1_t)
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
dev_delete_all_blk_files($1_t)
dev_delete_all_chr_files($1_t)
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# Command completion can fire hundreds of avcs
domain_dontaudit_exec_all_entry_files($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
auth_relabel_all_files_except_shadow($1_t)
init_telinit($1_t)
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
seutil_manage_src_policy($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
',`
fs_read_noxattr_fs_files($1_t)
')
optional_policy(`
userhelper_exec($1_t)
')
ifdef(`TODO',`
ifdef(`xserver.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search_dir_perms;
')
')
') dnl endif TODO
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_admin_user_template'($*)) dnl
')
########################################
##
## Change to the generic user role.
##
##
##
## Change to the generic user role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_generic_user',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_generic_user'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template($1,user)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_generic_user'($*)) dnl
')
########################################
##
## Change from the generic user role.
##
##
##
## Change from the generic user role to
## the specified role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_from_generic_user',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_from_generic_user'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template(user,$1)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_from_generic_user'($*)) dnl
')
########################################
##
## Change to the staff user role.
##
##
##
## Change to the staff user role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_staff',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_staff'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template($1,staff)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_staff'($*)) dnl
')
########################################
##
## Change from the staff user role.
##
##
##
## Change from the staff user role to
## the specified role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_from_staff',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_from_staff'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template(staff,$1)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_from_staff'($*)) dnl
')
########################################
##
## Change to the sysadm user role.
##
##
##
## Change to the sysadm user role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_sysadm'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template($1,sysadm)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_sysadm'($*)) dnl
')
########################################
##
## Change from the sysadm user role.
##
##
##
## Change from the sysadm user role to
## the specified role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_from_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_from_sysadm'($*)) dnl
ifdef(`strict_policy',`
userdom_role_change_template(sysadm,$1)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_from_sysadm'($*)) dnl
')
########################################
##
## Change to the secadm user role.
##
##
##
## Change to the secadm user role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_secadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_secadm'($*)) dnl
ifdef(`enable_mls',`
userdom_role_change_template($1,secadm)
',`
refpolicywarn(`$0($*) has no effect in non-MLS policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_secadm'($*)) dnl
')
########################################
##
## Change from the secadm user role.
##
##
##
## Change from the secadm user role to
## the specified role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_from_secadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_from_secadm'($*)) dnl
ifdef(`enable_mls',`
userdom_role_change_template(secadm,$1)
',`
refpolicywarn(`$0($*) has no effect in non-MLS policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_from_secadm'($*)) dnl
')
########################################
##
## Change to the auditadm user role.
##
##
##
## Change to the auditadm user role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the auditadm role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_auditadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_auditadm'($*)) dnl
ifdef(`enable_mls',`
userdom_role_change_template($1,auditadm)
',`
refpolicywarn(`$0($*) has no effect in non-MLS policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_auditadm'($*)) dnl
')
########################################
##
## Change from the auditadm user role.
##
##
##
## Change from the auditadm user role to
## the specified role.
##
##
## This is a template to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
#
define(`userdom_role_change_from_auditadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_role_change_from_auditadm'($*)) dnl
ifdef(`enable_mls',`
userdom_role_change_template(auditadm,$1)
',`
refpolicywarn(`$0($*) has no effect in non-MLS policy.')
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_role_change_from_auditadm'($*)) dnl
')
########################################
##
## Make the specified type usable in a
## user home directory.
##
##
##
## Make the specified type usable in a
## user home directory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Type to be used as a file in the
## user home directory.
##
##
#
define(`userdom_user_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_content'($*)) dnl
gen_require(`
attribute $1_file_type;
')
typeattribute $2 $1_file_type;
files_type($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_content'($*)) dnl
')
########################################
##
## Set the attributes of a user pty.
##
##
##
## Set the attributes of a user pty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_setattr_user_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ptys'($*)) dnl
ifdef(`strict_policy',`
gen_require(`
type $1_devpts_t;
')
allow $2 $1_devpts_t:chr_file setattr;
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ptys'($*)) dnl
')
########################################
##
## Create a user pty.
##
##
##
## Create a user pty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_user_pty',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_user_pty'($*)) dnl
ifdef(`strict_policy',`
gen_require(`
type $1_devpts_t;
')
term_create_pty($2,$1_devpts_t)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_user_pty'($*)) dnl
')
########################################
##
## Search user home directories.
##
##
##
## Search user home directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_dirs'($*)) dnl
gen_require(`
type $1_home_dir_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir { getattr search };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_user_home_dirs'($*)) dnl
')
########################################
##
## List user home directories.
##
##
##
## List user home directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_dirs'($*)) dnl
gen_require(`
type $1_home_dir_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_home_dirs'($*)) dnl
')
########################################
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## Domain to transition to.
##
##
#
define(`userdom_user_home_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_domtrans'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
domain_auto_trans($2,$1_home_t,$3)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_domtrans'($*)) dnl
')
########################################
##
## Do not audit attempts to list user home subdirectories.
##
##
##
## Do not audit attempts to list user home subdirectories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit
##
##
#
define(`userdom_dontaudit_list_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_home_dirs'($*)) dnl
gen_require(`
type $1_home_dir_t;
')
dontaudit $2 $1_home_dir_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_home_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete directories
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_dirs'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_list_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
allow $2 $1_home_t:dir manage_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the
## attributes of user home files.
##
##
##
## Do not audit attempts to set the
## attributes of user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_setattr_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
dontaudit $2 $1_home_t:file setattr;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl
')
########################################
##
## Read user home files.
##
##
##
## Read user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read user home files.
##
##
##
## Do not audit attempts to read user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_t;
')
dontaudit $2 $1_home_t:dir r_dir_perms;
dontaudit $2 $1_home_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write user home files.
##
##
##
## Do not audit attempts to write user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_t;
')
dontaudit $2 $1_home_t:file write;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_home_content_files'($*)) dnl
')
########################################
##
## Read user home subdirectory symbolic links.
##
##
##
## Read user home subdirectory symbolic links.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_home_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_symlinks'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:lnk_file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Execute user home files.
##
##
##
## Execute user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_exec_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir search_dir_perms;
can_exec($2,$1_home_t)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to execute user home files.
##
##
##
## Do not audit attempts to execute user home files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_exec_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_exec_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_t;
')
dontaudit $2 $1_home_t:file execute;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_exec_user_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete files
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_files'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Do not audit attempts to create, read, write, and delete directories
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_manage_user_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
dontaudit $2 $1_home_t:dir manage_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_symlinks'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_pipes'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete named sockets
## in a user home subdirectory.
##
##
##
## Create, read, write, and delete named sockets
## in a user home subdirectory.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_sockets'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_sockets'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created. If not
## specified, file is used.
##
##
#
define(`userdom_user_home_dir_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans'($*)) dnl
gen_require(`
type $1_home_dir_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
type_transition $2 $1_home_dir_t:$4 $3;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created. If not
## specified, file is used.
##
##
#
define(`userdom_user_home_dir_filetrans_user_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl
gen_require(`
type $1_home_dir_t, $1_home_t;
')
files_search_home($2)
allow $2 $1_home_dir_t:dir rw_dir_perms;
type_transition $2 $1_home_dir_t:$3 $1_home_t;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl
')
########################################
##
## Write to user temporary named sockets.
##
##
##
## Write to user temporary named sockets.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_user_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_sockets'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:sock_file write;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_sockets'($*)) dnl
')
########################################
##
## List user temporary directories.
##
##
##
## List user temporary directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_tmp'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to list user
## temporary directories.
##
##
##
## Do not audit attempts to list user
## temporary directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_user_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_tmp'($*)) dnl
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to manage users
## temporary directories.
##
##
##
## Do not audit attempts to manage users
## temporary directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_user_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:dir manage_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl
')
########################################
##
## Read user temporary files.
##
##
##
## Read user temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read users
## temporary files.
##
##
##
## Do not audit attempts to read users
## temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append users
## temporary files.
##
##
##
## Do not audit attempts to append users
## temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_append_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:file append;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_tmp_files'($*)) dnl
')
########################################
##
## Read and write user temporary files.
##
##
##
## Read and write user temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:file rw_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to manage users
## temporary files.
##
##
##
## Do not audit attempts to manage users
## temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:file manage_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_files'($*)) dnl
')
########################################
##
## Read user
## temporary symbolic links.
##
##
##
## Read user
## temporary symbolic links.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_symlinks'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:lnk_file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary directories.
##
##
##
## Create, read, write, and delete user
## temporary directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_dirs'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir manage_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary files.
##
##
##
## Create, read, write, and delete user
## temporary files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_files'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary symbolic links.
##
##
##
## Create, read, write, and delete user
## temporary symbolic links.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_symlinks'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:lnk_file create_lnk_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary named pipes.
##
##
##
## Create, read, write, and delete user
## temporary named pipes.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_pipes'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:fifo_file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary named sockets.
##
##
##
## Create, read, write, and delete user
## temporary named sockets.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_sockets'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_tmp_t:sock_file create_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_sockets'($*)) dnl
')
########################################
##
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created. If not
## specified, file is used.
##
##
#
define(`userdom_user_tmp_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_filetrans'($*)) dnl
gen_require(`
type $1_tmp_t;
')
allow $2 $1_tmp_t:dir rw_dir_perms;
type_transition $2 $1_tmp_t:$4 $3;
files_search_tmp($2)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmp_filetrans'($*)) dnl
')
########################################
##
## Create objects in the temporary directory
## with an automatic type transition to
## the user temporary type.
##
##
##
## Create objects in the temporary directory
## with an automatic type transition to
## the user temporary type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created. If not
## specified, file is used.
##
##
#
define(`userdom_tmp_filetrans_user_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_tmp_filetrans_user_tmp'($*)) dnl
gen_require(`
type $1_home_dir_t;
')
files_tmp_filetrans($2,$1_tmp_t,$3)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_tmp_filetrans_user_tmp'($*)) dnl
')
########################################
##
## Read user tmpfs files.
##
##
##
## Read user tmpfs files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_user_tmpfs_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmpfs_files'($*)) dnl
gen_require(`
type $1_tmpfs_t;
')
fs_search_tmpfs($2)
allow $2 $1_tmpfs_t:dir list_dir_perms;
allow $2 $1_tmpfs_t:file rw_file_perms;
allow $2 $1_tmpfs_t:lnk_file { getattr read };
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmpfs_files'($*)) dnl
')
########################################
##
## List users untrusted directories.
##
##
##
## List users untrusted directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_untrusted_content'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_untrusted_content'($*)) dnl
')
########################################
##
## Do not audit attempts to list user
## untrusted directories.
##
##
##
## Do not audit attempts to read user
## untrusted directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_user_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_untrusted_content'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_untrusted_content'($*)) dnl
')
########################################
##
## Read user untrusted files.
##
##
##
## Read user untrusted files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_untrusted_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_untrusted_content_files'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir r_dir_perms;
allow $2 $1_untrusted_content_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_untrusted_content_files'($*)) dnl
')
########################################
##
## Manage user untrusted files.
##
##
##
## Create, read, write, and delete untrusted files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_untrusted_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_untrusted_content_files'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_tmp_t:dir rw_dir_perms;
allow $2 $1_untrusted_content_tmp_t:file manage_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_untrusted_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read users
## untrusted files.
##
##
##
## Do not audit attempts to read users
## untrusted files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_untrusted_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_untrusted_content_files'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
dontaudit $2 $1_untrusted_content_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_untrusted_content_files'($*)) dnl
')
########################################
##
## Read user untrusted symbolic links.
##
##
##
## Read user untrusted symbolic links.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_untrusted_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_untrusted_content_symlinks'($*)) dnl
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir r_dir_perms;
allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_untrusted_content_symlinks'($*)) dnl
')
########################################
##
## List users temporary untrusted directories.
##
##
##
## List users temporary untrusted directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_tmp_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_tmp_untrusted_content'($*)) dnl
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_tmp_untrusted_content'($*)) dnl
')
########################################
##
## Do not audit attempts to list user
## temporary untrusted directories.
##
##
##
## Do not audit attempts to list user
## temporary directories.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_user_tmp_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_tmp_untrusted_content'($*)) dnl
gen_require(`
type $1_untrusted_content_tmp_t;
')
dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_tmp_untrusted_content'($*)) dnl
')
########################################
##
## Read user temporary untrusted files.
##
##
##
## Read user temporary untrusted files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_untrusted_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_untrusted_content_files'($*)) dnl
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_untrusted_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read users
## temporary untrusted files.
##
##
##
## Do not audit attempts to read users
## temporary untrusted files.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_tmp_untrusted_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmp_untrusted_content_files'($*)) dnl
gen_require(`
type $1_untrusted_content_tmp_t;
')
dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmp_untrusted_content_files'($*)) dnl
')
########################################
##
## Read user temporary untrusted symbolic links.
##
##
##
## Read user temporary untrusted symbolic links.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_untrusted_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_untrusted_content_symlinks'($*)) dnl
gen_require(`
type $1_untrusted_content_tmp_t;
')
allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_untrusted_content_symlinks'($*)) dnl
')
########################################
##
## Read all user untrusted content files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_untrusted_content'($*)) dnl
gen_require(`
attribute untrusted_content_type;
')
allow $1 untrusted_content_type:dir r_dir_perms;
allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_untrusted_content'($*)) dnl
')
########################################
##
## Read all user temporary untrusted content files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_tmp_untrusted_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_tmp_untrusted_content'($*)) dnl
gen_require(`
attribute untrusted_content_tmp_type;
')
allow $1 untrusted_content_tmp_type:dir r_dir_perms;
allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_tmp_untrusted_content'($*)) dnl
')
########################################
##
## Set the attributes of a user domain tty.
##
##
##
## Set the attributes of a user domain tty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_setattr_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_setattr_unallocated_ttys($2)
',`
gen_require(`
type $1_tty_device_t;
')
allow $2 $1_tty_device_t:chr_file setattr;
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ttys'($*)) dnl
')
########################################
##
## Read and write a user domain tty.
##
##
##
## Read and write a user domain tty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_user_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_user_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_use_unallocated_ttys($2)
',`
gen_require(`
type $1_tty_device_t;
')
allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_user_ttys'($*)) dnl
')
########################################
##
## Read and write a user domain tty and pty.
##
##
##
## Read and write a user domain tty and pty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_user_terminals',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_user_terminals'($*)) dnl
ifdef(`targeted_policy',`
term_use_unallocated_ttys($2)
term_use_generic_ptys($2)
',`
gen_require(`
type $1_tty_device_t, $1_devpts_t;
')
allow $2 $1_tty_device_t:chr_file rw_term_perms;
allow $2 $1_devpts_t:chr_file rw_term_perms;
term_list_ptys($2)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_user_terminals'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## a user domain tty and pty.
##
##
##
## Do not audit attempts to read and write
## a user domain tty and pty.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_use_user_terminals',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_terminals'($*)) dnl
gen_require(`
type $1_tty_device_t, $1_devpts_t;
')
dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_terminals'($*)) dnl
')
########################################
##
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_spec_domtrans_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
corecmd_shell_spec_domtrans($1,userdomain)
allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_all_users'($*)) dnl
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_xsession_spec_domtrans_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
xserver_xsession_spec_domtrans($1,userdomain)
allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_all_users'($*)) dnl
')
########################################
##
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_spec_domtrans_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
corecmd_shell_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_xsession_spec_domtrans_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
xserver_xsession_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Manage unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_user_semaphores',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_semaphores'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem create_sem_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_semaphores'($*)) dnl
')
########################################
##
## Manage unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_user_shared_mem',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_shared_mem'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm create_shm_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_shared_mem'($*)) dnl
')
########################################
##
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_bin_spec_domtrans_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
corecmd_bin_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Execute generic sbin programs in all unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sbin_spec_domtrans_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sbin_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sbin_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Execute all entrypoint files in unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_entry_spec_domtrans_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
domain_entry_file_spec_domtrans($1,unpriv_userdomain)
allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Execute a shell in the sysadm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_shell_domtrans_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_shell_domtrans_sysadm'($*)) dnl
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_shell_domtrans($1)
',`
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_shell_domtrans_sysadm'($*)) dnl
')
########################################
##
## Execute a generic bin program in the sysadm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_bin_spec_domtrans_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_bin_spec_domtrans_sysadm'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_bin_spec_domtrans_sysadm'($*)) dnl
')
########################################
##
## Execute a generic sbin program in the sysadm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sbin_spec_domtrans_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sbin_spec_domtrans_sysadm'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_sbin_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sbin_spec_domtrans_sysadm'($*)) dnl
')
########################################
##
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_entry_spec_domtrans_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_entry_spec_domtrans_sysadm'($*)) dnl
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans($1,sysadm_t)
allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_entry_spec_domtrans_sysadm'($*)) dnl
')
########################################
##
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
##
##
##
## Allow sysadm to execute a generic bin program in
## a specified domain.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
#
define(`userdom_sysadm_bin_spec_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sysadm_bin_spec_domtrans_to'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t,$1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sysadm_bin_spec_domtrans_to'($*)) dnl
')
########################################
##
## Allow sysadm to execute a generic sbin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
##
##
##
## Allow sysadm to execute a generic sbin program in
## a specified domain.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
#
define(`userdom_sysadm_sbin_spec_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sysadm_sbin_spec_domtrans_to'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_sbin_spec_domtrans(sysadm_t, $1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sysadm_sbin_spec_domtrans_to'($*)) dnl
')
########################################
##
## Allow sysadm to execute all entrypoint files
## in the specified domain. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Allow sysadm to execute all entrypoint files
## in the specified domain. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
#
define(`userdom_sysadm_entry_spec_domtrans_to',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sysadm_entry_spec_domtrans_to'($*)) dnl
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sysadm_entry_spec_domtrans_to'($*)) dnl
')
########################################
##
## Search the staff users home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_staff_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_staff_home_dirs'($*)) dnl
gen_require(`
type staff_home_dir_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_staff_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search the staff
## users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_staff_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_staff_home_dirs'($*)) dnl
gen_require(`
type staff_home_dir_t;
')
dontaudit $1 staff_home_dir_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_staff_home_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete staff
## home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_staff_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_staff_home_dirs'($*)) dnl
ifdef(`targeted_policy',`
userdom_manage_generic_user_home_dirs($1)
',`
gen_require(`
type staff_home_dir_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir manage_dir_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_staff_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to append to the staff
## users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_append_staff_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_staff_home_content_files'($*)) dnl
gen_require(`
type staff_home_t;
')
dontaudit $1 staff_home_t:file append;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_staff_home_content_files'($*)) dnl
')
########################################
##
## Read files in the staff users home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_staff_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_staff_home_content_files'($*)) dnl
gen_require(`
type staff_home_dir_t, staff_home_t;
')
files_search_home($1)
allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_staff_home_content_files'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to sysadm users.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sigchld_sysadm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sigchld_sysadm'($*)) dnl
ifdef(`targeted_policy',`
unconfined_sigchld($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sigchld_sysadm'($*)) dnl
')
########################################
##
## Do not audit attepts to get the attributes
## of sysadm ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_getattr_sysadm_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_sysadm_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_getattr_unallocated_ttys($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_sysadm_ttys'($*)) dnl
')
########################################
##
## Read and write sysadm ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_sysadm_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_sysadm_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_use_unallocated_ttys($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_sysadm_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to use sysadm ttys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_sysadm_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_sysadm_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1)
',`
gen_require(`
type sysadm_tty_device_t;
')
dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_sysadm_ttys'($*)) dnl
')
########################################
##
## Read and write sysadm ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_sysadm_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_sysadm_ptys'($*)) dnl
ifdef(`targeted_policy',`
term_use_generic_ptys($1)
',`
gen_require(`
type sysadm_devpts_t;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_sysadm_ptys'($*)) dnl
')
########################################
##
## Dont audit attempts to read and write sysadm ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_sysadm_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_sysadm_ptys'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys($1)
',`
gen_require(`
type sysadm_devpts_t;
')
dontaudit $1 sysadm_devpts_t:chr_file { read write };
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_sysadm_ptys'($*)) dnl
')
########################################
##
## Read and write sysadm ttys and ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_sysadm_terms',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_sysadm_terms'($*)) dnl
userdom_use_sysadm_ttys($1)
userdom_use_sysadm_ptys($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_sysadm_terms'($*)) dnl
')
########################################
##
## Do not audit attempts to use sysadm ttys and ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_sysadm_terms',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_sysadm_terms'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys($1)
',`
gen_require(`
attribute admin_terminal;
')
dontaudit $1 admin_terminal:chr_file { read write };
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_sysadm_terms'($*)) dnl
')
########################################
##
## Inherit and use sysadm file descriptors
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_sysadm_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_sysadm_fds'($*)) dnl
ifdef(`targeted_policy',`
unconfined_use_fds($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_sysadm_fds'($*)) dnl
')
########################################
##
## Read and write sysadm user unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_sysadm_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_sysadm_pipes'($*)) dnl
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_rw_pipes($1)
',`
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_sysadm_pipes'($*)) dnl
')
########################################
##
## Get the attributes of the sysadm users
## home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_sysadm_home_dirs'($*)) dnl
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_sysadm_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the sysadm users
## home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_getattr_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_sysadm_home_dirs'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir getattr;
', `
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_sysadm_home_dirs'($*)) dnl
')
########################################
##
## Search the sysadm users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_search_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_sysadm_home_dirs'($*)) dnl
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_sysadm_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search the sysadm
## users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_sysadm_home_dirs'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
',`
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_sysadm_home_dirs'($*)) dnl
')
########################################
##
## List the sysadm users home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_sysadm_home_dirs'($*)) dnl
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_sysadm_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the sysadm
## users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_sysadm_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_sysadm_home_dirs'($*)) dnl
gen_require(`
type sysadm_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_sysadm_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search the sysadm
## users home directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_sysadm_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_sysadm_home_content_files'($*)) dnl
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
dontaudit $1 user_home_t:dir search_dir_perms;
dontaudit $1 user_home_t:file r_file_perms;
',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:file r_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_sysadm_home_content_files'($*)) dnl
')
########################################
##
## Create objects in sysadm home directories
## with automatic file type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The class of the object to be created.
## If not specified, file is used.
##
##
#
define(`userdom_sysadm_home_dir_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sysadm_home_dir_filetrans'($*)) dnl
gen_require(`
type sysadm_home_dir_t;
')
allow $1 sysadm_home_dir_t:dir rw_dir_perms;
type_transition $1 sysadm_home_dir_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sysadm_home_dir_filetrans'($*)) dnl
')
########################################
##
## Search the sysadm users home sub directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_search_sysadm_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_sysadm_home_content_dirs'($*)) dnl
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_sysadm_home_content_dirs'($*)) dnl
')
########################################
##
## Read files in the sysadm users home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_sysadm_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_sysadm_home_content_files'($*)) dnl
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_sysadm_home_content_files'($*)) dnl
')
########################################
##
## Search all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_all_users_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_all_users_home_dirs'($*)) dnl
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_all_users_home_dirs'($*)) dnl
')
########################################
##
## List all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_all_users_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_all_users_home_dirs'($*)) dnl
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_all_users_home_dirs'($*)) dnl
')
########################################
##
## Search all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_all_users_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_all_users_home_content'($*)) dnl
gen_require(`
attribute home_dir_type, home_type;
')
files_list_home($1)
allow $1 { home_dir_type home_type }:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_all_users_home_content'($*)) dnl
')
########################################
##
## Do not audit attempts to search all users home directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_all_users_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_all_users_home_content'($*)) dnl
gen_require(`
attribute home_dir_type, home_type;
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
fs_dontaudit_list_nfs($1)
fs_dontaudit_list_cifs($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_all_users_home_content'($*)) dnl
')
########################################
##
## Read all files in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_users_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_home_content_files'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_users_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all directories
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_users_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_home_content_dirs'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_home_content_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete all files
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_users_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_home_content_files'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir rw_dir_perms;
allow $1 home_type:file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all symlinks
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_users_home_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_home_content_symlinks'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
allow $1 home_type:dir rw_dir_perms;
allow $1 home_type:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_home_content_symlinks'($*)) dnl
')
########################################
##
## Make the specified domain a privileged
## home directory manager.
##
##
##
## Make the specified domain a privileged
## home directory manager. This domain will be
## able to manage the contents of all users
## general home directory content, and create
## files with the correct context.
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_priveleged_home_dir_manager',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_priveleged_home_dir_manager'($*)) dnl
gen_require(`
attribute privhome;
')
files_list_home($1)
typeattribute $1 privhome;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_priveleged_home_dir_manager'($*)) dnl
')
########################################
##
## Send general signals to unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signal_unpriv_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_signal_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_signal_unpriv_users'($*)) dnl
')
########################################
##
## Inherit the file descriptors from unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_unpriv_users_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_fds'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit the
## file descriptors from all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_use_unpriv_user_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
dontaudit $1 unpriv_userdomain:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl
')
########################################
##
## Create generic user home directories
## with automatic file type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_home_filetrans_generic_user_home_dir',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_home_filetrans_generic_user_home_dir'($*)) dnl
gen_require(`
type user_home_dir_t;
')
files_home_filetrans($1,user_home_dir_t,dir)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_home_filetrans_generic_user_home_dir'($*)) dnl
')
########################################
##
## Search generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_generic_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_generic_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_generic_user_home_dirs'($*)) dnl
')
########################################
##
## Create objects in generic user home directories
## with automatic file type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
## If not specified, file is used.
##
##
#
define(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_generic_user_home_dir_filetrans_generic_user_home_content'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir rw_dir_perms;
type_transition $1 user_home_dir_t:$2 user_home_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_generic_user_home_dir_filetrans_generic_user_home_content'($*)) dnl
')
########################################
##
## Don't audit search on the user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_search_generic_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_generic_user_home_dirs'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_generic_user_home_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic user
## home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## subdirectories of generic user
## home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_content_dirs'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_content_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## subdirectories of generic staff
## home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_staff_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_staff_home_content_dirs'($*)) dnl
gen_require(`
type staff_home_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir search_dir_perms;
allow $1 staff_home_t:dir create_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_staff_home_content_dirs'($*)) dnl
')
########################################
##
## Read files in generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_generic_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_generic_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t, user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir r_dir_perms;
allow $1 user_home_t:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_generic_user_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## in generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_content_files'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic
## links in generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_content_symlinks'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:lnk_file create_lnk_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete named
## pipes in generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_content_pipes',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_content_pipes'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:fifo_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_content_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete named
## sockets in generic user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_generic_user_home_content_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_generic_user_home_content_sockets'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:sock_file create_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_generic_user_home_content_sockets'($*)) dnl
')
########################################
##
## Search all unprivileged users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_unpriv_users_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_unpriv_users_home_dirs'($*)) dnl
gen_require(`
attribute user_home_dir_type;
')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_unpriv_users_home_dirs'($*)) dnl
')
########################################
##
## Read all unprivileged users home directory
## files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_unpriv_users_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_unpriv_users_home_content_files'($*)) dnl
gen_require(`
attribute user_home_dir_type, user_home_type;
')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
allow $1 user_home_type:dir r_dir_perms;
allow $1 user_home_type:lnk_file { getattr read };
allow $1 user_home_type:file r_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_unpriv_users_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories in
## unprivileged users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_users_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_users_home_content_dirs'($*)) dnl
gen_require(`
attribute user_home_dir_type, user_home_type;
')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
allow $1 user_home_type:dir manage_dir_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_users_home_content_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in
## unprivileged users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_users_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_users_home_content_files'($*)) dnl
gen_require(`
attribute user_home_dir_type, user_home_type;
')
files_search_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
allow $1 user_home_type:dir rw_dir_perms;
allow $1 user_home_type:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_users_home_content_files'($*)) dnl
')
########################################
##
## Set the attributes of user ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_setattr_unpriv_users_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_unpriv_users_ptys'($*)) dnl
gen_require(`
attribute user_ptynode;
')
allow $1 user_ptynode:chr_file setattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_unpriv_users_ptys'($*)) dnl
')
########################################
##
## Read and write unprivileged user ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_unpriv_users_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_ptys'($*)) dnl
ifdef(`targeted_policy',`
term_use_generic_ptys($1)
',`
gen_require(`
attribute user_ptynode;
')
term_search_ptys($1)
allow $1 user_ptynode:chr_file rw_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to use unprivileged
## user ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_unpriv_users_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_users_ptys'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys($1)
',`
gen_require(`
attribute user_ptynode;
')
dontaudit $1 user_ptynode:chr_file rw_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_users_ptys'($*)) dnl
')
########################################
##
## Relabel files to unprivileged user pty types.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabelto_unpriv_users_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabelto_unpriv_users_ptys'($*)) dnl
gen_require(`
attribute user_ptynode;
')
allow $1 user_ptynode:chr_file relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabelto_unpriv_users_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to relabel files from
## unprivileged user pty types.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabelfrom_unpriv_users_ptys'($*)) dnl
gen_require(`
attribute user_ptynode;
')
dontaudit $1 user_ptynode:chr_file relabelfrom;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabelfrom_unpriv_users_ptys'($*)) dnl
')
########################################
##
## Read all unprivileged users temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_unpriv_users_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_unpriv_users_tmp'($*)) dnl
ifdef(`targeted_policy',`
files_list_tmp($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:dir list_dir_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_unpriv_users_tmp'($*)) dnl
')
########################################
##
## Read all unprivileged users temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_unpriv_users_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_unpriv_users_tmp_files'($*)) dnl
ifdef(`targeted_policy',`
files_read_generic_tmp_files($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:file { read getattr };
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_unpriv_users_tmp_files'($*)) dnl
')
########################################
##
## Read all unprivileged users temporary symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_unpriv_users_tmp_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_unpriv_users_tmp_symlinks'($*)) dnl
ifdef(`targeted_policy',`
files_read_generic_tmp_symlinks($1)
',`
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:lnk_file { getattr read };
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_unpriv_users_tmp_symlinks'($*)) dnl
')
########################################
##
## Write all unprivileged users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_unpriv_users_tmp_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_unpriv_users_tmp_files'($*)) dnl
gen_require(`
attribute user_tmpfile;
')
allow $1 user_tmpfile:file { getattr write append };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_unpriv_users_tmp_files'($*)) dnl
')
########################################
##
## Read and write unprivileged user ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_unpriv_users_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_use_unallocated_ttys($1)
',`
gen_require(`
attribute user_ttynode;
')
allow $1 user_ttynode:chr_file rw_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to use unprivileged
## user ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_use_unpriv_users_ttys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_users_ttys'($*)) dnl
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1)
',`
gen_require(`
attribute user_ttynode;
')
dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_users_ttys'($*)) dnl
')
########################################
##
## Read the process state of all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_users_state',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_state'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:dir search_dir_perms;
allow $1 userdomain:file r_file_perms;
kernel_search_proc($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_users_state'($*)) dnl
')
########################################
##
## Get the attributes of all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_all_users'($*)) dnl
')
########################################
##
## Inherit the file descriptors from all user domains
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_all_users_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_all_users_fds'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_all_users_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit the file
## descriptors from any user domains.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_all_users_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_all_users_fds'($*)) dnl
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_all_users_fds'($*)) dnl
')
########################################
##
## Send general signals to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signal_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_signal_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signal;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_signal_all_users'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sigchld_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_sigchld_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_sigchld_all_users'($*)) dnl
')
########################################
##
## Create keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_all_users_keys',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_all_users_keys'($*)) dnl
ifdef(`strict_policy',`
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key create;
',`
unconfined_create_keys($1)
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_all_users_keys'($*)) dnl
')
########################################
##
## Send a dbus message to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dbus_send_all_users',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dbus_send_all_users'($*)) dnl
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dbus_send_all_users'($*)) dnl
')
########################################
##
## Unconfined access to user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_unconfined',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_unconfined'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_unconfined'($*)) dnl
')
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`userdom_executable_file',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_executable_file'($*)) dnl
gen_require(`
attribute user_exec_type;
')
typeattribute $1 user_exec_type;
files_type($1)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_executable_file'($*)) dnl
')
########################################
##
## Execute user executables in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_exec',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec'($*)) dnl
gen_require(`
attribute user_exec_type;
')
can_exec($1, user_exec_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec'($*)) dnl
')
########################################
##
## Manage and create all files in /tmp on behalf of the user
##
##
##
## The interface for full access to the temporary directories.
## This creates a derived type for the user
## temporary type. Execute access is not given.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
## If not specified, file is used.
##
##
#
define(`userdom_transition_user_tmp',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_transition_user_tmp'($*)) dnl
gen_require(`
type $1_tmp_t;
')
files_tmp_filetrans($2,$1_tmp_t, $3)
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_transition_user_tmp'($*)) dnl
')
########################################
##
## Create, read, write, and all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_user_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_executables'($*)) dnl
gen_require(`
attribute user_exec_type;
')
allow $1 user_exec_type:file manage_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_executables'($*)) dnl
')
########################################
##
## Mmap all executables as executable.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_mmap_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_mmap_all_executables'($*)) dnl
gen_require(`
attribute user_exec_type;
')
allow $1 user_exec_type:file { getattr read execute };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_mmap_all_executables'($*)) dnl
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_relabel_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_all_executables'($*)) dnl
gen_require(`
attribute user_exec_type;
')
allow $1 user_exec_type:file { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_all_executables'($*)) dnl
')
########################################
##
## dontaudit relabel of generic user
## home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_relabel_generic_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabel_generic_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
dontaudit $1 user_home_t:file { relabelto relabelfrom };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabel_generic_user_home_content_files'($*)) dnl
')
########################################
##
## allow execute of generic user
## home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_execute_generic_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_execute_generic_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
files_search_home($1)
allow $1 user_home_t:file execute;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_execute_generic_user_home_content_files'($*)) dnl
')
########################################
##
## allow relabel of staff home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabel_staff_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_staff_home_dirs'($*)) dnl
ifdef(`targeted_policy',`
userdom_relabel_generic_user_home_dirs($1)
',`
gen_require(`
type staff_home_dir_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir relabelto;
')
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_staff_home_dirs'($*)) dnl
')
########################################
##
## allow relabel of staff home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabel_generic_user_home_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_generic_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir relabelto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_generic_user_home_dirs'($*)) dnl
')
########################################
##
## Create objects in staff home directories
## with automatic file type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
## If not specified, file is used.
##
##
#
define(`userdom_staff_home_dir_filetrans_staff_home_content',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_staff_home_dir_filetrans_staff_home_content'($*)) dnl
gen_require(`
type staff_home_dir_t, staff_home_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir rw_dir_perms;
type_transition $1 staff_home_dir_t:$2 staff_home_t;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_staff_home_dir_filetrans_staff_home_content'($*)) dnl
')
########################################
##
## Allow user to run as a secadm
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role of the object to create.
##
##
##
##
## The terminal
##
##
#
define(`userdom_security_administrator',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_security_administrator'($*)) dnl
allow $1 self:capability { dac_read_search dac_override };
selinux_set_enforce_mode($1)
selinux_set_boolean($1)
selinux_set_parameters($1)
seutil_manage_bin_policy($1)
seutil_run_checkpolicy($1,$2,$3)
seutil_run_loadpolicy($1,$2,$3)
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
seutil_run_restorecon($1,$2,$3)
corecmd_exec_shell($1)
consoletype_exec($1)
dmesg_exec($1)
domain_obj_id_change_exemption($1)
files_create_boot_flag($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
mls_process_read_up($1)
mls_file_read_up($1)
mls_file_write_down($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
dev_relabel_all_dev_nodes($1)
init_exec($1)
logging_send_syslog_msg($1)
logging_read_audit_log($1)
logging_read_generic_logs($1)
logging_read_audit_config($1)
userdom_dontaudit_append_staff_home_content_files($1)
userdom_dontaudit_read_sysadm_home_content_files($1)
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
optional_policy(`
aide_run($1,$2, $3)
')
dnl
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_security_administrator'($*)) dnl
')
########################################
##
## allow relabel of home type directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabel_user_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_home_content_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 home_type:dir { relabelfrom relabelto };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_user_home_content_dirs'($*)) dnl
')
########################################
##
## getattr all executables
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_getattr_all_executables',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_all_executables'($*)) dnl
gen_require(`
attribute user_exec_type;
')
allow $1 user_exec_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_all_executables'($*)) dnl
')
########################################
##
## dontaudit getattr all user file type
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_dontaudit_list_user_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_files'($*)) dnl
gen_require(`
attribute $1_file_type;
')
dontaudit $2 $1_file_type:dir search_dir_perms;
dontaudit $2 $1_file_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_files'($*)) dnl
')
########################################
##
## Allow apps to set rlimits on userdomain
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_set_rlimitnh',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_set_rlimitnh'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process rlimitinh;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_set_rlimitnh'($*)) dnl
')
########################################
##
## dontaudit attempts to write to user home dir files
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_write_unpriv_user_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_unpriv_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_unpriv_user_home_content_files'($*)) dnl
')
########################################
##
## Read all users home directories symlinks.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_users_home_dirs_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_home_dirs_symlinks'($*)) dnl
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
allow $1 home_dir_type:lnk_file read_lnk_file_perms;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_users_home_dirs_symlinks'($*)) dnl
')
########################################
##
## Delete all files
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_users_home_content_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_users_home_content_files'($*)) dnl
gen_require(`
attribute home_type;
')
delete_files_pattern($1,home_type,home_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_users_home_content_files'($*)) dnl
')
########################################
##
## delete all directories
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_users_home_content_dirs',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_users_home_content_dirs'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
delete_dirs_pattern($1, home_type, home_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_users_home_content_dirs'($*)) dnl
')
########################################
##
## Delete all symlinks
## in all users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_users_home_content_symlinks',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_users_home_content_symlinks'($*)) dnl
gen_require(`
attribute home_type;
')
files_list_home($1)
delete_lnk_files_pattern($1,home_type,home_type)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_users_home_content_symlinks'($*)) dnl
')
########################################
##
## allow getattr all user file type
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_list_user_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $2 user_home_type:dir search_dir_perms;
allow $2 user_home_type:file getattr;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_files'($*)) dnl
')
## Xen hypervisor
########################################
##
## Execute a domain transition to run xend.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_domtrans'($*)) dnl
gen_require(`
type xend_t, xend_exec_t;
')
domain_auto_trans($1,xend_exec_t,xend_t)
allow $1 xend_t:fd use;
allow xend_t $1:fd use;
allow xend_t $1:fifo_file rw_file_perms;
allow xend_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_domtrans'($*)) dnl
')
########################################
##
## Inherit and use xen file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xen_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_use_fds'($*)) dnl
gen_require(`
type xend_t;
')
allow $1 xend_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## xen file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xen_dontaudit_use_fds',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_dontaudit_use_fds'($*)) dnl
gen_require(`
type xend_t;
')
dontaudit $1 xend_t:fd use;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## xend log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_append_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_append_log'($*)) dnl
gen_require(`
type var_log_t, xend_var_log_t;
')
logging_search_logs($1)
allow $1 xend_var_log_t:dir rw_dir_perms;
allow $1 xend_var_log_t:file { getattr append };
dontaudit $1 xend_var_log_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_append_log'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## Xen unix domain stream sockets. These
## are leaked file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xen_dontaudit_rw_unix_stream_sockets',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type xend_t;
')
dontaudit $1 xend_t:unix_stream_socket { read write };
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## Connect to xenstored over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_stream_connect_xenstore',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xenstore'($*)) dnl
gen_require(`
type xenstored_t, xenstored_var_run_t;
')
files_search_pids($1)
allow $1 xenstored_var_run_t:dir search;
allow $1 xenstored_var_run_t:sock_file { getattr write };
allow $1 xenstored_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_stream_connect_xenstore'($*)) dnl
')
########################################
##
## Connect to xend over an unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_stream_connect',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_stream_connect'($*)) dnl
gen_require(`
type xend_t, xend_var_run_t;
')
files_search_pids($1)
allow $1 xend_var_run_t:dir search;
allow $1 xend_var_run_t:sock_file { getattr write };
allow $1 xend_t:unix_stream_socket connectto;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_stream_connect'($*)) dnl
')
########################################
##
## Execute a domain transition to run xm.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_domtrans_xm',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_domtrans_xm'($*)) dnl
gen_require(`
type xm_t, xm_exec_t;
')
domain_auto_trans($1,xm_exec_t,xm_t)
allow xm_t $1:fd use;
allow xm_t $1:fifo_file rw_file_perms;
allow xm_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_domtrans_xm'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## xend log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_manage_log',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_manage_log'($*)) dnl
gen_require(`
type var_log_t, xend_var_log_t;
')
logging_search_logs($1)
allow $1 xend_var_log_t:dir create_dir_perms;
allow $1 xend_var_log_t:file create_file_perms;
dontaudit $1 xend_var_log_t:file write;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_manage_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## xend image files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_read_image_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_read_image_files'($*)) dnl
gen_require(`
type xen_image_t, xend_var_lib_t;
')
files_list_var_lib($1)
allow $1 xend_var_lib_t:dir search_dir_perms;
read_files_pattern($1,xen_image_t,xen_image_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_read_image_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write
## xend image files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_rw_image_files',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `xen_rw_image_files'($*)) dnl
gen_require(`
type xen_image_t, xend_var_lib_t;
')
files_list_var_lib($1)
allow $1 xend_var_lib_t:dir search_dir_perms;
rw_files_pattern($1,xen_image_t,xen_image_t)
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `xen_rw_image_files'($*)) dnl
')
## Build packages in a chroot environment.
########################################
##
## Execute the mock program in the mock domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_domtrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `mock_domtrans'($*)) dnl
gen_require(`
type mock_t, mock_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, mock_exec_t, mock_t)
allow $1 mock_t:fd use;
allow mock_t $1:fd use;
allow mock_t $1:fifo_file rw_file_perms;
allow mock_t $1:process sigchld;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `mock_domtrans'($*)) dnl
')
########################################
##
## Create objects in the /var/lib/mock directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
define(`files_var_lib_mock_filetrans',` dnl
define(`policy_temp',incr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,begin `files_var_lib_mock_filetrans'($*)) dnl
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
define(`policy_temp',decr(policy_call_depth)) dnl
pushdef(`policy_call_depth',policy_temp) dnl
undefine(`policy_temp') dnl
policy_m4_comment(policy_call_depth,end `files_var_lib_mock_filetrans'($*)) dnl
')